Attack tool kits to blame for 60 per cent of web threats

Nearly two-thirds of web-based threats last year were caused by attack toolkits, bundles of malicious software which have significantly lowered the bar to entry for new cyber criminals, according to the latest research from Symantec.

The security firm's mid-term threat report, Attack Toolkits and Malicious Web Sites (PDF), charts the history of exploit kits, from their origins in the early 1990s when they enabled viruses and Trojans like the Kournikova worm, to sophisticated modern examples such as ZeuS.

Symantec senior manager Orla Cox explained that there are two main types of attack toolkit. The most popular is the sort that allows cyber criminals to set up a web site hosting any number of exploits which will drop onto a user's machine if they visit that site.

"The goal here is pay-per-install schemes, using the toolkits to drop malware like fake anti-virus onto the machines so they get paid every time," she said.

The second type of kit allows criminals to create their own malware, such as ZeuS, but requires a hosting site or another way to get it onto users' computers.

The danger of both, however, is that they have extensively democratised the means to launch attacks and make money out of cyber crime, said Cox.

Toolkits have grown hugely in demand over the period studied, trading online on the underground market for as much as $8,000 (£5,000), although many are available pirated for free, indicating their increasing popularity.

Another sign of their growing sophistication and danger to global internet security is that most kits are easily updated, meaning that they can be targeted to exploit the latest zero-day vulnerabilities.

"We've seen the creation of kits which offer add-on services. Just like traditional anti-virus they're useless without their updates, so the [creators] will update them to target new vulnerabilities, and also offer aftercare services," said Cox.

Symantec urged companies to keep up to date with vendor patches, limit the use of browser plug-ins which are favourites to exploit by toolkits, and employ anti-virus, intrusion prevention and web reputation technologies to block threats.