Revamped RIG exploit kit infects 1 million PCs

The RIG exploit kit's source code was leaked by a 'disgruntled reseller' in February, but researchers say that version 3.0 of the EK  has been 'polished' with new features and also to reduce the likelihood of further leakage. The EK remains available through most cyber-crime markets on the dark web.

"Not only did RIG 3.0 manage to maintain the exploitation percentage of RIG 2.0, it also managed to vastly increase its number of hits reaching the high volume of over 3.5 million hits (impressions)," the team says in analysis.

"[It] attempted to infect 3.5 million machines and succeeded in infecting 1.25 million machines, meaning on average 27,000 infected machines per day."

Researchers have blamed this high-infection rate on the various Adobe Flash zero-day vulnerabilities that have come out in recent weeks, with many disclosed in the Hacking Team data breach.

RIG is largely being used in malvertising attacks, with unnamed news websites, IT providers and investment consultancies targeted, according to researchers.

One RIG customer was said to be making up to $100,000 a month by using the EK to build the Tofsee spam botnet, an attack which is said to account for 70 percent of all infections.

Sophos last month revealed that RIG accounted for 82 percent of the exploit market, following demise of BlackHole.

Terry Greer-King, director of cyber-security at Cisco, spoke to late last week on the release of Cisco's mid-year report, which revealed a rise in the use of the Angler exploit kit and other exploits taking advantage of flaws in Adobe's Flash.

“A lot of incidents have already occurred, and it looks like a record bad year, especially for Flash,” he said at the time, although – unlike others – he insisted that Adobe's Flash is still a useful technology when managed correctly.

“People are just not applying the patches to Flash and other things that are coming out.” He added that the use of the Angler EK had “really grown year-on-year.”

Greer-King went onto stress the importance of writing good code, because the bad guys “are literally working 24/7” to find any holes or vulnerabilities.

Pointing to the “huge increase” in Dridex – which is especially prevalent in France at the moment, he said that anti-virus teams might patch within nine hours, but that's still eight to nine hours for attackers to exploit.

In its mid-year report, Cisco also found passages from Jane Austen's 19th century novel Sense and Sensibility in exploit kit landing web pages, reasoning that attackers would use such literature so to bypass anti-virus and for their malicious code to be executed. “It's really wacky, it could have been anything….it could have been something out of the Beano,” admitted Greer-King.

The Cisco security expert added that criminals are starting to work out ways to workaround sandboxing technologies, and advises IT security teams to move to “goal-orientated penetration testing” for better resilience, as well as embrace more outsourcing and more integrated security solutions.

This story originally appeared in

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.