Finjan SecureBrowsing Uncovers Increased Crimeware Usage in August

The increased usage of crimeware toolkits by cybercriminals was forecasted by Finjan in its recently published quarterly and monthly reports.

Finjan SecureBrowsing is a leading browser plug-in that adds safety ratings to URLs of search results, Web 2.0 and other popular websites.

Finjan SecureBrowsing identified 10 different types of crimeware toolkits in August alone. These crimeware toolkits are being sold by hackers for only a few hundred dollars, and are being used by criminals on the web today.

August’s crimeware toolkit list includes the known MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit toolkits, as well as new toolkits such as random.js, vipcrypt, makemelaugh and dycrypt.

Each of these crimeware toolkits is being updated frequently to include recent exploits and new anti-forensic techniques that allow them to bypass and escape detection by traditional signature, reputation and URL based security products.

The dozens of versions for each of the crimeware toolkits provide the basis for hundreds of unique toolkits in use by cybercriminals today.

The dramatic increase in the use of these crimeware toolkits was forecasted in Finjan’s Malicious Page of the Month report for May 2007.

Finjan SecureBrowsing has also identified dozens of active criminals using these crimeware toolkits. As indicated in its Malicious Page of the Month report for July 2007, Finjan detected 58 criminals which have used the MPack toolkit to successfully infect over 500,000 unique users in a single month.

During August, Finjan SecureBrowsing alerted users to crimeware found on compromised financial and government sites as well as on many top-ranked portals and Web 2.0 sites.

On a single day during August, Finjan SecureBrowsing issued alerts on 300 MySpace unique profiles referencing potentially malicious content on profile layouts.

In addition, Finjan SecureBrowsing identified six active affiliation programs (iframedollar, iframebiz, iframe911, iframestat, Neon, Vera) that typically pay website owners for infecting their visitors with crimeware.

Such affiliation programs utilize the “iframe” method described in detail in Finjan’s Web Security Trends Report Q2 2007. Each affiliation program is present on hundreds of websites infecting their visitors for cash.

The prevalence of code obfuscation -- a technique commonly used to bypass traditional signature, reputation and URL based solutions that was predicted in Finjan’s Web Security Trends Report Q4 2006 -- is also on a constant rise. An analysis of the Finjan SecureBrowsing data indicates that more than 90% in the use of code obfuscation to infect end-user PCs with crimeware.