Vulnerability Trends

Vulnerability Trends | Total Number of Vulnerabilities | Zero-Day Vulnerabilities | Notable Zero-day Attacks | Web Browser Vulnerabilities | Web Browser Plug-in Vulnerabilities | Web Attack Toolkits | SCADA Vulnerabilities

Web Attack Toolkits

Web attack toolkits are a collection of scripts, often PHP files, which are used to create malicious web sites that will use Web exploits to infect visitors. There are a few dozen known families used in the wild. Many toolkits are traded or sold on underground forums for 100-1,000$ (USD). Some are actively developed and new vulnerabilities are added over time, such as Blackhole and Eleonore toolkits, which both added various Adobe Flash vulnerabilities during 2011.
Each new toolkit version released during the year is accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until potential victims have patched their systems. For example, the number of attacks using the Blackhole toolkit, which was very active in 2010, dropped to a few hundred attacks per day in the middle of 2011, but re-emerged with newer versions generating hundreds of thousands of infection attempts per day towards the end of the year.
Since many toolkits often use the same exploits, it is often difficult to identify the specific attack toolkit behind each infection attempt. On average, the attack toolkits contain around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities found in applications such as Adobe Flash , PDF viewers and Java . In general, older exploits are not removed from the toolkits, since some systems may still be unpatched. This is perhaps why many of the toolkits still contain an exploit for the old Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462) from 2006. The malicious script will test all possible exploits in sequence until one succeeds. This may magnify the attack numbers seen for older vulnerabilities, even if they were unsuccessful.
For more information on Web attack toolkits, please read Appendix A: Threat Activity Trends - Analysis of Malicious Web Activity by Attack Toolkits.