The arrest of the alleged distributor of the Blackhole kit has given rise to new ones
Cybercrime works pretty much the same way as a capitalism does: where there’s a need for a product or service, someone will try to fill it.
That’s one of the messages from Cisco Systems’ mid-year security report, which found that the arrest last fall in Russia of a hacker named “Paunch” allegedly behind the creation and sale of the BlackHole Exploit Kit has merely fostered the creation by hackers of new kits.
After the arrest 87 per cent amount of traffic from Blackhole exploit kits dropped, Levi Gundert, a technical lead with Cisco System , said in an interview.
“The problem is that once Blackhole went dark there was a void to fill,” he added. “We have seen an explosion of new exploit kit families with names like Fiesta, Rig and Stick competing with each other for share in the marketplace. They compete on price, customer service, and they are very difficult for us to track as researchers because there are so many of them.”
Cisco expects one of them will become the market sales leader among hackers.
The report is one of many issued regularly by security vendors looking at network traffic of their customers or pulled in anonymously from their network equipment. They all have one thing in common – the news is bad, the trend is the same: Malware creators are at least one step ahead of defences.
Things aren’t completely bad, Gundert said.
“If you patch and update Java, Flash, Silverlight, you’re not going to have problems with exploit kits because to date they only have exploited vulnerable applications
The problem for businesses, he admits, is they often can’t patch fast enough, and have to ensure the patch doesn’t break a mission-critical application.
For consumers there are free browser plug-ins consumers can use that allow user control over access to Java and deny unknown scripts to run.
But Gundert said organizations have to assume at some point their networks will be pierced. “I don’t think organizations should be myopically focused on prevention, because I think it’s an unattainable goal in many ways. They should be focused on rapid detection and shortening the remediation window … Stop worrying so much about wrapping the next firewall and securing the perimeter because there is no perimeter any more. It’s do you understand where your critical data is, and do you have smart detection in place, do you have smart people who know how to use the tools?”
Other highlights (or low points) of the report, which looked at network data from 16 multinational organizations include
–93 per cent of the companies had some DNS traffic requesting Internet destinations that were known malware sites;
–nearly 70 per cent of the companies had traffic issuing requests for Dynamic DNS Domains. This shows possible evidence of networks misuses or compromised with botnets using DDNS to alter their UP addresses to avoid detection. Few legitimate requests would seek dynamic DNS domains, Cisco (Nasdaq: CSCO) says;
–nearly 44 per cent of the companies had traffic issuing requests for sites and domains with devices that provide encryption services like SSL, VMP SFTP, FTP and FTPS used by malicious actors to encrypt data being pulled from the organization;
–unpatched Java is still the programming language most exploited by hackers. Java exploits rose to 93 per cent of indicators of compromise in May. The previous high point was 91 per cent last November;
–malvertising, which directs unwitting users who click on legitimate-looking ads to sites where their browsers will be infected, continues to be a problem. There are a number of syndicates that are able to insert their ads in advertising exchanges, he said. “Advertising exchanges so far have done a very poor job of ensuring the ads they’re serving up are benign,” Gundert said.
“We’ve talked to advertising exchanges about this, and seen that they have received requests from customers to insert these (redirect) ads at the very last minute with higher than normal prices per click and hoping they won’t do much due diligence in inspecting the ad content.”
It’s a “huge driver” for exploit kits, he said.
–creators of Distributed Denial of Services (DDoS) attacks continue to find new protocols that rely on UDP (user datagram protocol) to leverage amplification and reflection attackers. The latest is getting the cached list of clients requesting time from the NTP (network time protocol). There are “underlying deficiencies” in UDP that will continue to be targeted, Gundert said.