New Rig Exploit Kit snares 1.25 million victims - thanks to Adobe Flash security flaws

Cyber crime pays: Reborn Rig Exploit Kit makes its developers $25,000 per month

A new version of the Rig Exploit Kit has claimed 1.25 million victims worldwide, according to security company Trustwave - more than 950,000 in the past six weeks alone. And that is largely due to exploits taking advantage of zero-day Adobe Flash security flaws,

The Exploit Kit is rented out to users, but the heavy compute work is done on the developer's own back-end server. An earlier version of the Rig Exploit Kit front-end was leaked to security specialists in February, necessitating a re-write by the Kit's developers.

Arseny Levin, a security researcher at Trustwave, claimed that there are an estimated 50 active users of the Exploit Kit who have attacked three million PCs, successful compromising 1.25 million of them - a 34 per cent success rate. "This is very high for an exploit kit,", Trustwave security researcher Arseny Levin told Threat Post.

"Malvertising", adverts injected into advertising networks that can be used to reach millions of machines, compromising any found to have vulnerable versions of Adobe Flash running, is the number-one method of propagation, according to Trustwave.

More than half of the victims are in Brazil and Vietnam, the company adds, with the relatively few in the UK. According to Levin, the developers behind Rig are doing well out of the new version, renting it out for $100 per month, per customer - or $300,000 per year in total.

According to Trustwave, Rig has a three-layer architecture: an administration server, a virtual directory server (VDS) and proxy servers which "contain many web servers that are typically only valid for a short period of time each, and manage the interactions between the victims and the upper servers. These are the servers that serve the exploits directly to the victims".

Security experts were able to dissect and examine the original Rig Exploit Kit when a disgruntled reseller leaked the code. That was back in February this year, when Trustwave published a detailed analysis of the software, its infrastructure and how it worked.

"An individual claiming to be one of the RIG exploit kit developers tried to sell the exploit kit service in several underground forums. Apparently, this person operated without the main developer's consent who quickly condemned these actions in chats and suspended the leaker's accounts. In response, the individual leaked the source code for RIG "to help the security community," claimed Trustwave.

MalwareTech, a programmer and security enthusiast who picked up the code, attributed the reseller's disgruntlement to an over-supply in the market - too many resellers seeking too few buyers, despite the Exploit Kit's popularity - and the developer subsequently suspended the reseller after making a fool of himself in a hacking forum not noted for the sale of exploit kits.

The way in which the Rig Exploit Kit works, though, is that while resellers can sell access to a front-end, the heavy work is doing by a back-end server controlled by its developers, according to MalwareTech.