Exploit packs — slick, prepackaged bundles of commercial software that attackers can use to booby-trap hacked Web sites with malicious software — are popular in part because they turn hacking for profit into a point-and-click exercise that even the dullest can master. I’ve focused so much on these kits because they also make it easy to visually communicate key Internet security concepts that otherwise often fall on deaf ears, such as the importance of keeping your software applications up-to-date with the latest security patches.
One of the best-selling exploit packs on the market today is called Crimepack, and it’s a kit that I have mentioned at least twice in previous blog posts. This time, I’ll take a closer look at the “exploit stats” sections of a few working Crimepack installations to get a better sense of which software vulnerabilities are most productive for Crimepack customers.
Check out the following screen shot, taken in mid-June from the administration page of a working Crimepack exploit kit that targeted mostly German-language Web sites. This page shows that almost 1,800 of the nearly 6,000 people who browsed one of the stable of malicious sites maintained by this criminal got hacked. That means some software component that 30 percent of these visitors were running either in their Web browsers or in the underlying Windows operating system was vulnerable to known software flaws that this kit could exploit in order to install malicious software.
Peering closer at the exploit stats, we see that one exploit was particularly successful: Webstart. This refers to a Java vulnerability that Oracle/Sun patched in April 2010, a powerful and widely-deployed software package that many users aren’t even aware they have on their systems, let alone know they need to keep it updated. (By the way, I got some serious flack for recommending that users who have no need for Java uninstall the program completely, but I stand by that advice.) As seen from the chart, this single Java flaw was responsible for nearly 60 percent of the successful attacks on visitors to these hacked sites.
Let’s have a look another screen shot from a different, working Crimepack administration page:
This Crimepack kit was targeting primarily Web sites in South America, but once again we see the same Java Webstart flaw was the most popular exploit. According to the admin page above, 3,500 out of 16,971 (~21 percent) visitors were successfully attacked, and more than two-thirds were exploited due to this one Webstart flaw.
One other interesting feature built into Crimepack lets customers test various Web reputation services to discover whether any include their exploit sites:
I try to keep this blog updated with news about important security patches, but I simply cannot write about them all. If you want a simple way of staying updated on new software patches, I’d suggest downloading and installing the Personal Software Inspector tool from Secunia, which will scan your system and let you know which programs need updating. It also will periodically remind you about outdated programs, and includes direct links to the newest versions, so you don’t have to go hunting for download pages for all of the software products installed on your PC.