One-in-four hackers runs Opera to ward off other criminals

Security firm bamboozles hacker toolkit operators into divulging info

Hackers using multi-exploit attack "toolkits" take defensive measures of their own against other criminals, a security researcher said today.

"Exploit kit operators do use mainstream browsers, but they're much more likely to use Opera than the average user, because they know that the browser isn't targeted by other hackers," said Paul Royal, a principal security researcher with Atlanta-based Purewire.

While the most generous Web measurements peg Opera, a browser made by Norwegian company Opera Software, at a 2% share of the global market, 26% of the hackers who Purewire identified use the far-from-popular application.

Because of its small market share, few hackers bother to unleash exploits for Opera vulnerabilities, said Royal.

Purewire obtained this insight, and others, by infiltrating hackers' systems using a bug in the analytics software included with a pair of hacker toolkits, notably one dubbed "LuckySploit," said Royal. "We forged a 'refer' field and put in a little JavaScript," he explained, "and that revealed the hackers to us via their IP addresses."

Out of 51 exploit kit-using hackers, Purewire's tactic successfully identified the IP addresses of 15, as well as the browsers they ran. "We essentially did a code audit," said Royal. "Even criminals who attack others cannot architect reliable software," he added, talking about the vulnerabilities in the toolkits.

Most multi-strike attack kits, including LuckySploit, serve up a grab bag of exploits, including code that leverages vulnerabilities in Microsoft's Internet Explorer (IE), in ActiveX controls that IE uses, and in Adobe's Flash Player and Reader.

Criminals also try to hide from law enforcement by distancing themselves from the servers that host their exploit kits, said Royal. Of the 15 hackers Purewire identified, only two -- both with IP addresses traced to Latvia -- resided in the same country that also hosted the system containing their attack kit.

Most had at least one country between where they lived and where their malware-serving machine was located.

"This is a first stab," Royal said when asked what value could be placed on the information Purewire rooted out. "If we can discover the IP addresses of exploit kit operators, we can then turn that over to law enforcement."

Exploit toolkits are a prominent weapon in hacker arsenals, especially for "drive-by" attacks launched when unwary users are tricked into visiting Web sites by spam. Last month, for example, thousands of legitimate, but compromised, sites served up a multi-strike kit that included an exploit of a then-unpatched vulnerability in a Microsoft-made ActiveX control.

Tags operaweb browserssecurity

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?