We have recently received a new Web exploit pack called Tornado that contains exploits for 14 vulnerabilities by default. The pack also contains the usual stats and admin pages; however, the greatest success of this pack appears to be how well it has stayed under the radar.
Firstly, let’s take a look at what is in the pack. When a user logs into the Tornado administration control panel, the statistics page is shown, as presented below. This page shows how successful an exploit campaign has been to date. It shows the number of visitors to the exploit pack and how many of those visitors were successfully exploited, which includes a breakdown by OS and by browser type.
Another page shows the exploits that are available to use. The user of the pack can select which exploits to enable or disable.
The user can also decide what action to take for different types of traffic. Shown below is the drop-down menu for repeat traffic. Generally exploit packs prefer to run only once for each IP address. A second visit from the same IP address is often viewed as suspicious. To deal with repeat visitors, the user of the pack can opt to redirect repeat visitors to various different pages.
The user can even opt to have repeat visitors see a message stating that the account has been suspended, in order to ease any suspicions the visitor may have:
“This Account Has Been Suspended
Please contact the billing/support department as soon as possible.”
It appears that traffic is directed to the pack via “hacked” Web pages. There were ftp logs included with the pack that show this. The method for generating traffic for the exploit site was via logging into legitimate ftp accounts using stolen credentials and searching for all .html files. Whenever an html file was found, an iframe was inserted into the page, which pointed to the Tornado pack.
This is a common technique used by many packs. However, there did not appear to be a feature in the pack itself to check ftp sites (like there is in IcePack, for example). So, there may have been a separate tool used for inserting the iframe via ftp and this may not be a feature of the pack itself.
From other log files that we have seen, this pack appears to have been operating in the wild for at least six months, possibly longer. For a pack to stay “unknown” for such a length of time shows that the sellers were careful who to distribute this pack to.
This pack uses the same business model as Neosploit does. The exploit pack will be bought by an “admin” who will set up accounts on his Tornado server for others to use. In this way the admin can rent/sell an exploit service rather than an exploit pack. (EaaS? Exploits as a service? ;) ) Perhaps this is why the code for this pack has stayed private for so long. Using this model, the creators of the pack can sell it to a few trusted customers at a higher price, rather than selling it to many untrustworthy customers and risking the code being released in the underground.
P.S.> During testing, this exploit pack crashed the test browser without successfully delivering an exploit.
P.P.S. > As stated above, this is not a new pack, but the code has only been publicly released recently. This pack was involved in a large iframe injection attack around October/November of 2007, and a quick search shows that the pack is still being used. A lot of results show a live infection from only five days ago.
Some people have confused this pack with the Neosploit exploit pack; however, the packs are significantly different. The most obvious difference is the fact that Tornado is written in php, while Neosploit uses elf binaries. Analyzing both packs should clear up the confusion and make it very clear which iframes can be associated with this pack as opposed to the Neosploit pack.
Another interesting point about this pack is that although the pack is Russian owned/written, many of the servers hosting Tornado are in China. Could this be due to RBN moving to China, as has been reported elsewhere?
*Thanks to senior engineer Adam Blaszczyk for info regarding this pack.