The “Web Attacker” Toolkit
The “web attacker” toolkit is a “bundled” hack tool used to quickly upload a series of client side (browser) exploits to a web server. The intent is too lure victims to the now malicious server, identify the web browser in use, and present the browser with the appropriate exploit to infect it with spyware or malware.
Websense Corporation has quite a detailed write up on this attack vector and since it seems to have become the attack method of choice it really warrants a good reading.
Websense Security Labs is seeing large increases in drive-by installations of malicious code that is hosted on websites that are using the Web Attacker Toolkit. When a user visits one of the nearly 1000 sites that are being used to run code without user intervention, a Trojan Horse is downloaded and run. It can log keystrokes, download additional code, or open backdoors on the user’s machine.
The kit is being sold on the Internet for as little as $20 and can be purchased and downloaded from a website hosted in Russia (see http://www.theregister.co.uk/2006/03/27/spyware_diy/). The Web Attacker tool also includes a nice graphical interface and an instructional manual to assist in configuring your server for the exploit. Along with that are details about which anti-virus engines cannot detect it, and how it works.
The kit has the ability to detect the visiting user’s browser through the user agent and will serve one of seven different exploits based on the browser settings. It includes exploits for a number of different browsers and browser versions.
What is also interesting is that the websites that are hosting the malicious code also include a statistics page that shows the number of infected clients, percentage of clients that have been infected, and a breakdown by country, Operating System, and browser.
As you can see from the screenshot below, the percentage of successful infections is quite high. On average we are seeing between 3% and 13% overall success rate. It is also interesting to notice the large number of machines that are not patched for older exploits. The statistics also show a column called “zero-day”. These exploits are not zero-days anymore, because Microsoft has patched them; however, this remains the largest percentage of infections.
If you ever wondered how you got spyware or malware on your PC and you haven’t installed anything recently that may be the culprit this is how it probably happened.