What do creators of a software application used by criminals do when their product gets so popular that it starts attracting worldwide attention? Simple; just declare themselves bankrupt and go underground until the hoopla dies. And then come back with a new version to make up for the lost business.
That's exactly what has happened with Neosploit - the most notorious and most advanced infection kit used by online criminals to infect computers with malware for extracting sensitive information remotely.
Neosploit first surfaced in the e-crime scene in 2007 and was sold undercover over the Internet through blogs and ICQ sites to online criminals. But unlike its infamous predecessors such as MPack, Icepack and WebAttacker, it was far more advanced. For instance, say experts, Nesploit could hunt out vulnerabilities in operating systems like Windows and Linux and launch attack codes automatically. Besides it also had sophisticated statistical analysis and management tools.
This is why it gained popularity so rapidly: within a year not only were criminals but also almost everyone concerned with online security were downloading it -- some for e-crime use, while others wanted to crack how it worked to take counter-offensive actions. Then in an ironic twist, e-pirates started circulating a pirated versions to cash in on its demand.
"Its notoriety even attracted the attention of many federal security agencies around the world that started tracking it to pin down its users," says Ian Amit, director of security research at the Tel Aviv-based information security company, Aladdin Knowledge Systems.
Scared by this attention, Neosploit's creators adopted a smart survival strategy. They announced on a website in July that Neosploit was facing financial problems due a draught of orders and is going out of business.
According to RSA FraudAction Research Labs -- first to notice the announcement -- the creators said; "Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself."
The announcement also added, "We tried hard to satisfy our clients' needs during the last few months, but the support had to end at some point. Now we will not be with you, but nevertheless we wish that your businesses will prosper for a long time."
Interestingly, so convincing was that announcement that Computerworld, while reporting the shutdown, said Neosploit "has been retired from service by its criminal creators, most likely because it was priced too high compared to the competition."
"But in hindsight it seems it was just a clever tactic to escape attention because they were underground for just a few weeks," explains Amit who discovered in August that Neosploit was not only back in circulation, but had come out with an enhanced version called Neosploit 3.1.
It was indeed a smart move because no one in the security industry anticipated that a newer version of Neosploit would be doing rounds. "In fact, when newer attacks that contained the signature of Neosploit were noticed a few months back, even the largest of security vendors thought that it was some other new hacking software," says Amit.
Amit believes Neosploit creators actually planned to create a newer version of Neosploit but since they didn't want to attract any more attention, they simply went out of circulation for a while. "My guess is when they came back, they did it equally surreptitiously because the newer version of this software is not available for downloads though the earlier used bogging or ICQ sites. Quite probably Neosploit 3.1 is selling though direct selling channels now," says Amit
Neosploit's re-introduction is a truly notable instance of how the huge demand from the cybercrime world is forcing cybercriminals to come up with innovative strategies to beat the system. The profitability of developing newer versions in Neosploit's case not only compensated them for going underground and losing a few week's or month's business It also allowed the infamous software to move from established, but compromised distribution channels to others and still thrive, says Amit.
Nevertheless, now that Neosploit's resurfacing has been identified, it will be easier for the security industry to identify some of the unsolved attacks of the past few months and even predict newer attacks, says Amit.
Meanwhile, digging for the spoils of Neosploit 3.1 has led Amit to yet another significant discovery -- the existence of the biggest organized e-crime operation ever. But that's another story which I will cover in greater detail soon as a feature in Digital Communities. So keep an eye out...
Subscribe to this blog's feed
Leave a comment