Cybercrime attack "toolkits" have over the past few years become more accessible and are now used in the majority of internet attacks, according to a new report from Symantec.
Also called “crimeware", attack toolkits are bundles of malware used to facilitate the launch of attacks against networked computers, according to the report. These kits generally include malicious code for exploiting vulnerabilities in multiple applications and technologies, as well as tools to customise, deploy and launch widespread attacks.
Between July 2009 and June 2010, 61 percent of the web-based threat activity detected by Symantec was attributable to such kits, the report states.
“Attack kits are significantly advancing the evolution of cybercrime into a self-sustaining, profitable and increasingly organised economic model worth millions of dollars,” the report states.
The kits are also enabling those without technical hacking sophistication to engage in cybercrime, according to Symantec.
“In the past, hackers had to create their own threats from scratch,” Stephen Trilling, senior vice president of Symantec Security Technology and Response, said in a statement. “Today's attack toolkits make it relatively easy for even a malicious novice to launch a cyberattack. As a result, we expect to see even more criminal activity in this area and a higher likelihood that the average user will be victimized.”
The popularity of such attacks has ratcheted up the price of crimeware, according to the report. The popular toolkit WebAttacker sold for US$15 on the underground economy in 2006. In comparison, Zeus 2.0, the so-called “king of malicious code kits,” came with a price tag of US$8,000 in 2010.
Attack kits are often sold on a subscription-based model with regular updates, and some even come with support services, the report states. Cybercriminals advertise and rent access to the kits and use anti-piracy tools to ensure attackers cannot use the tools without paying.
The most prevalent attack tool kit is MPack, which was first released by a group of Russian developers in 2006. It uses IFRAME injections to launch attacks and is often copied and redistributed on the underground market, according to the report.