internet security tHreAt rePOrt GOVernMent 2013
internet security tHreAt rePOrt GOVernMent 2013
internet security tHreAt rePOrt GOVernMent 2013
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
p. 148<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Web Attack Toolkits<br />
Background<br />
Web attack toolkits are a collection of scripts, often PHP files,<br />
which are used to create malicious websites that will use<br />
Web exploits to infect visitors. There are a few dozen known<br />
families used in the wild. Many toolkits are traded or sold on<br />
underground forums for US$100-1,000. Some are actively<br />
developed and new vulnerabilities are added over time, such as<br />
the Blackhole and Eleonore toolkits, which both added exploits<br />
for a variety of vulnerabilities during 2012.<br />
Each new toolkit version released during the year was<br />
accompanied with increased malicious Web attack activity.<br />
As a new version emerges that incorporates new exploit<br />
functionality, we see an increased use of it in the wild, making<br />
as much use of the new exploits until potential victims have<br />
patched their systems.<br />
Since many toolkits often use the same exploits, it is often<br />
difficult to identify the specific attack toolkit behind each<br />
infection attempt. On average, an attack toolkit contains around<br />
10 different exploits, mostly focusing on browser independent<br />
plug-in vulnerabilities found in applications such as Adobe<br />
Flash Player, PDF viewers, and Java. In general, older exploits<br />
are not removed from the toolkits, since some systems may still<br />
be unpatched. This is perhaps why many of the toolkits still<br />
contain an exploit for the old Microsoft MDAC RDS.Dataspace<br />
ActiveX Control Remote Code Execution Vulnerability (BID<br />
17462) from 2006. The malicious script will test all possible<br />
exploits in sequence until one succeeds. This may magnify the<br />
attack numbers seen for older vulnerabilities, even if they were<br />
unsuccessful.<br />
For more information on Web attack toolkits, please read<br />
Appendix A: Threat Activity Trends: Analysis of Malicious Web<br />
Activity by Attack Toolkits.