Researchers warn of 'Cool' exploit platform

Users are being warned of the emergence of a new and popular malware exploit kit, dubbed 'Cool', which allows an attacker to remotely target security vulnerabilities in order to perform 'drive by' malware installations.

Researchers said that in addition to serving up attacks, the tool is also able to perform more sophisticated functions, including scanning for browser and operating system and detecting potentially vulnerable plug-ins.

According to F-Secure researchers Karmina Aquino and Timo Hirvonen, Cool bears a strong resemblance to another popular malware exploit platform. The duo noted that a number of the attack targets, techniques and updates displayed by Cool match that of the dubious Blackhole kit.

The researchers pointed out that when new vulnerabilities are disclosed, Blackhole and Cool often show updates at similar times and target many of the same vulnerable components and versions.

"With all these 'differences', it appears that Cool and Blackhole are more than just a tiny bit related," the researchers said in a blog posting.

The F-Secure researchers also noted a resemblance between the two attack kits at the coding level, performing similar functions and operations when carrying out attacks. Aquino and Hirvonen noted that when attacking components such as Flash, the two kits even go so far as to use the same file names and code.

"It may be just us, but the version checks by the two kits are very much alike." the researchers explained.

"And when we checked out Cool's Flash exploits, we can't help but notice that it uses the same Flash filenames as seen from Blackhole version 1, which happen to exploit the same Flash vulnerabilities."

As the cybercrime market has grown, attack kits have become an increasingly popular tool for spreading malware. The kits can range from free platforms to highly-sophisticated premium attack platforms.