> Enterprise > Security Response > Internet Security Threat Report > View the Report > Threat Activity Trends

Threat Activity Trends

Threat Activity Trends | Spam and Fraud Activity Trends | Malicious Website Activity | Analysis of Malicious Web Activity by Attack Toolkits | Analysis of Web-based Spyware and Adware Activity | Analysis of Web Policy Risks from Inappropriate Use | Analysis of Website Categories Exploited to Deliver Malicious Code | Bot-infected Computers | Analysis of Mobile Threats | Data Breaches that Could Lead to Identity Theft

Analysis of Malicious Web Activity by Attack Toolkits


The increasing pervasiveness of Web browser applications, along with increasingly common, easily exploited Web browser application security vulnerabilities, has resulted in the widespread growth of Web-based threats. Attackers wanting to take advantage of client-side vulnerabilities no longer need to actively compromise specific networks to gain access to those computers. Symantec analyzes attack activity to determine which types of attacks and attack toolkits attackers are utilizing. This can provide insight into emerging Web attack trends and may indicate the types of attacks with which attackers are having the most success.


This metric assesses the top Web-based attack activity originating from compromised legitimate sites and intentionally malicious sites set up to target Web users in 2011. To determine this, Symantec ranks attack activity by the volume of associated reports observed during the reporting period. The top 10 Web-based attack activities are analyzed for this metric.


Figure A.9. Malicious website activity: Attack toolkit trends, 2011. Source: Symantec
Figure A.10. Malicious website activity: Overall frequency of attack toolkits, 2011. Source: Symantec


Web-based client side exploit toolkits, or web-kits, have been around since about March of 2006 with the release of WebAttacker. For some time, these web-kits expanded their list of targeted victim software, but existed with essentially the same business model; nefarious users could purchase the attack kit and use it to build their hijacked computer networks. Once the market was established, prices steadily increased from WebAttacker’s $15 (USD) price tag on into the $1,000 (USD) range. The market existed in this fashion, with the web-kits including ever more exploits, and ever more IPS (Intrusion Prevention Systems) evasion techniques until about 2009 when web-kits began to be sold as a service, or simply kept as private.
Since this time, web-kit taxonomy has been much more difficult. Often Symantec will find new web-kits in operation in the field, with little to no concrete evidence of which web-kit it is a variant of. Gone are the days when a login, or stats page would be installed at a known location revealing the web-kit name, and version. The analyst is required to rely on techniques such as comparing core similarities, install bases and methods in order to determine whether a new web-kit may be a strain of an existing one.
Users are often targeted by Web exploitation kits in either of two main ways; targeted, or broadcast, sometimes referred to as sniper and shotgun:
Targeted attacks begin with the attacker selecting a specific victim, or type of user they would like to target. Associated emails, Instant Messages, blog-posts, etc. are then created to entice the target audience to infected content. This infected content will effectively be a redirection from an otherwise benign Web page or email to an attack site. Such attack sites will typically then launch a drive-by attack against the victim.
Broadcast attacks, on the other hand, typically begin with an attack against a broader body of websites. This may come in the form of SQL Injection, Web software compromise, or server vulnerability exploitation. Each of which has the goal of inserting a redirection URL into the content on that webserver. Once successful, each subsequent visitor will be served the attack kit.

Public vs. Private web-kits

Symantec has seen a variety of web exploit kits sold in the public for several years now. Some are offered as a buy outright, service contract, or license models. Other web-kits on the other hand appear to remain private for their lifetime. In these cases, it is likely that the operators are either selling infected machines, or more likely using the infected machines in house.
Web-kits are interesting because of their level of maintenance. An unmaintained web-kit version, or attack site would be of little threat as it would be defeated by even rudimentary security measures. Above is a chart in figure A.10, highlighting some of the major web-kits that have been maintained regularly for a length of time and were active in 2011. Some of these are kits that either are, or at least once were publicly available for sale, or rent, and some others that appear to have been privately operated for their duration. Whilst these can be tracked, and protection can be provided against the evolution of the attack kit, it is not always possible to know by what name the maintainers have given to these kits. For these, Symantec has assigned internal placeholder names.
For example, the private kit that Symantec has been tracking as NumDir internally came by this name because although deployed on several different attack servers, each new version was installed into a fixed, named numeric directory. This kit has been around since at least mid-2010 and has been maintained on a regular basis since this time with only brief interruption. It is not unusual for Symantec to be blocking between 50,000 and 120,000 attacks from it per day.
At the other end of the spectrum are public kits like Blackhole. Owing to its once public nature, Blackhole is tracked by many security researchers. Similarly, it is updated approximately every couple of days, and Symantec blocks in the order of 100,000 to 220,000 attacks using Blackhole each day. The large periodic fluctuations in the number of attacks appear to be a product of the attack waves themselves, as well as the rate at which our users encounter them.
The variety of public and seemingly private exploit kits does not lend itself to universal taxonomy, and while web-kits such as Blackhole, Incognito, and Phoenix are understood to be the names that their authors use, Symantec has been tracking kits such as NumDir, and DoubleSemi, using simple names derived roughly from attributes in the attack encodings.


The malware installed via a web-kit infection is frequently comprehensive, and includes various Peer-to-peer and IRC bots, rootkits, and misleading apps. Web-kits have been a major contributor to several pervasive malware families, including Qakbot, Bredolab, TidServe, ZeroAccess, Bamital, Zeus, Waledac, Zlob, Virut, Sasfis, Bank-stealing Trojans, Sality, Vundo, MebRoot, KoobFace and CycBot. For more information on these malware families, please visit
One of the more problematic malware systems recently has been ZeroAccess3. It has been observed being delivered over DoubleSemi, Blackhole, and Phoenix.