In-Depth

The Emerging Crimeware Market

The availability and sophistication of crimeware kits has contributed to the rapid evolution -- as well as the increasing sophistication -- of cybercrime itself.

A new report from security specialist Symantec Corp. depicts a booming market in cybercrime attack kits (aka, "crimeware") that has helped fuel an explosion in cybercriminal activity.

Symantec researchers note how anyone with the means (or the know-how) can easily acquire a crimeware kit and start cracking.

This is just one of the key points from Symantec's new Report on Attack Kits and Malicious Websites -- viz., the existence of a thriving "underground economy" in which attack kits, stolen information, and cracking skills are offered for sale. "These kits are advertised and sold in the online underground economy -- a black market of servers and forums where cybercriminals advertise and trade stolen information and services," write Symantec researchers.

Most alarming of all is Symantec's contention that the availability and sophistication of crimeware kits has likewise contributed to the rapid evolution -- as well as the increasing sophistication -- of cybercrime itself.

"[A]ttack kits are significantly advancing the evolution of cybercrime into a self-sustaining, profitable, and increasingly organized economic model worth millions of dollars," Symantec researchers explain.

Attack kits are nothing new, of course: as far back as 17 years ago, a mischievous person with knowledge of the warez-trading underground could acquire a virus toolkit without much difficulty.

The crimeware kits of today are a very different proposition, according to Symantec. "Although rudimentary exploit kits were used in attacks as far back as 1992, Symantec has detected significant growth in the development, sale, and use of highly sophisticated attack kits in the threat landscape in the past few years," researchers indicate. "While some of these kits have relatively simple capabilities -- containing limited exploits that target a specific program or operating system -- many kits are considerably more robust and include a number of tools with multiple exploits that target a range of applications across various operating systems."

It's a situation that's only going to get worse, according to the report.

"With the growing ability of these kits to generate profitable attack campaigns, there are regular releases of increasingly robust and sophisticated kits that are yet relatively easy to use," researchers claim, citing the seminal MPack attack kit that debuted in 2007. "When MPack first appeared … it represented a new model for kits. Not only did it allow its users to exploit website visitors through Web browser vulnerabilities, but in some cases the kit was also reportedly being sold for $1,000 -- with the purchase even including a one-year support contract."

In addition to support, cybercriminal entrepreneurs offer a host of additional pay-for-use services. "A range of secondary services has evolved to provide additional support and profit-seeking ventures for users of these kits," the report indicates, noting that attack kits -- like their legitimate software counterparts -- are increasingly being offered on a subscription basis, complete with maintenance updates and complementary (pay-for-use) components.

"This modular capacity also lets attackers stay current with new exploits for the latest vulnerabilities and attack techniques that can be added to the kit as the threat landscape evolves," Symantec observes. "Many of these kits also include what amounts to customer support services. Symantec has also observed advertisements offering to help install and set up purchased attack kits for a fee."

Researchers draw a particularly worrying conclusion.

"In the past, many cybercriminals also operated alone or in smaller groups. They were also more likely to be computer programmers who used their skills for illegal purposes. However, kits allow those experienced with organized criminal schemes to enter a new market without the need to obtain advanced programming skills or hire those with that skill set," they write.

Must Read Articles