Symantec Global internet Security threat report
1 2 3 4 5 6 7 8 9 10
2 1 N/A 6 4 14 5 20 N/A N/A
PDF Suspicious File Download Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness Microsoft Internet Explorer 7 Uninitialized Memory Code Execution Microsoft Internet Explorer MS Snapshot ActiveX File Download Adobe SWF Remote Code Executable Microsoft Internet Explorer Malformed XML Buffer Overflow Microsoft Internet Explorer DHTML CreateControlRange Code Executable Microsoft Internet Explorer WPAD Spoofing Microsoft MPEG2TuneRequestControl ActiveX Buffer Overflow Microsoft MPEG2TuneRequestControl ActiveX Instantiation
49% 18% 6% 4% 3% 3% 3% 3% 2%
11% 30% N/A 5% 7% 1% 6% 1% N/A
Table 3. Top Web-based attacks Source: Symantec
Many of the vulnerabilities observed through Web-based attacks in 2009 have been known and patched for some time. For example, the Microsoft internet Explorer ADODB.Stream Object File installation Weakness17 was published on August 23, 2003, and fixes have been available since July 2, 2004, yet it remains the second-ranked Web-based attack. this is likely because of the use of Web attack kits like Fragus,18 Eleonore,19 and neosploit.20 these kits come bundled with a variety of different exploits, including some exploits for older vulnerabilities. Because an older vulnerability is likely to be included in more kits, it will probably be seen in more attacks than many of the newer vulnerabilities. these exploit and attack kits are often frequently used in conjunction with some of the crimeware kits available in the underground economy, as is discussed in the next section.
Lowering the bar
A crimeware kit is a toolkit that allows people to customize a piece of malicious code designed to steal data and other personal information. the Zeus21 kit can be purchased for as low as $700, but can also be found for free on some forums.22 these kits can be bought in the underground economy and various Web forums. Crimeware kits like Zeus make it easier for unskilled attackers to compromise computers and steal information.23 these kits allow anyone who buys them to customize them to their own needs. In 2009, Symantec observed nearly 90,000 unique variants of the basic Zeus toolkit and it was the second most common new malicious code family observed in the ApJ region during this time.
Variants of the Zeus kit use spam to lure users to a website that uses social engineering or that exploits a Web browser vulnerability to install the bot on a victim’s computer. the bot then allows remote access to the computer and can be used to steal information such as the user’s online banking credentials. Each bot can then be used to send additional spam runs to compromise new users.
17 18 19 20 21 22 23
http://www. http://www. http://www. http://www. http://www. http://www. http://www.
securityfocus.com/bid/10514/discuss symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23391 symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23481 symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23588 symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99 s y m a n t e c . c o m / c o n t e n t / e n / u s / e n t e r p r i s e / m e d i a / s e c u r i t y _ r e s p o n s e / w h i t e p a p e r s / z e u s _ k i n g _ o f _ b o t s . p d f : p . symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits 1