The creators of the Siberia Exploits Kit have recently given it an update, enabling attackers to design more custom malware that can bypass antivirus and remain virtually undetectable on systems.
Siberia is another exploit kit catching up to some of its competitors in what is quite a busy market space.
Ed Rowley, product manager, M86 Security
The new automated features in Siberia can test malware success rates against signature-based antivirus engines. It uses a service called Scan4you, which doesn't report malware samples to security vendors.
Researchers at UK-based M86 security, who recently noted the changes, said the update brings Siberia more in line with its more popular competitors, including the Eleonore Exploit Kit, which can be purchased by cybercriminals on various underground hacker forums. Toolkits like Siberia and Eleonore can sell for as little as $300 and up to $1,500 for a package that includes software updates and additional modules such as encryption, said Ed Rowley, a product manager of M86 Security.
"Siberia is another exploit kit catching up to some of its competitors in what is quite a busy market space," Rowley said. "We frequently suspect that it is the same criminal gangs at it as they sell off their toolkits using a channel of resellers."
Siberia first surfaced in 2009 and has many of the characteristics of the now defunct Napoleon Exploit Pack. It been used in a variety of attacks against specific targets in Europe, South America and Asia.
Siberia's use of antivirus and URL filtering service Scan4you is similar to the VirusTotal service, which can be used by the public to check malware samples. Scan4you charges about 15 cents to check each sample against more than two dozen antivirus engine signatures. Rowley said the use of Scan4you is a fairly manual process, but it does improve the success rate of malware campaigns by enabling attackers to weed out malware that can be detected by traditional signature-based technologies.
Nearly all the toolkits on the market provide detailed reports outlining a campaign's success rate and enabling attackers to conduct more targeted campaigns. A recent attack on UK computer users in July targeted the customers of a specific bank, Rowley said.
Researchers have been studying the techniques used in exploit kits to evade detection. The Phoenix Exploit Kit is an example of the growing sophistication of the automated toolkits, Rowley said. Phoenix, which also surfaced in 2009 can circumvent recognition by URL filtering services by providing its owner the option to check whether a malicious domain has been blacklisted by malware researchers at security vendors. Phoenix also offers a paid service to its users, enabling them to re-encrypt exploits when the file has been detected by an antivirus vendor.
"Signature-based engines tend to be broadly catching malware, but unfortunately it's quite after the fact," Rowley said. "It's getting more difficult to keep up with their evasion techniques."