[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Tuesday, 4 September 2007, 08:59 GMT 09:59 UK
Cyber crime tool kits go on sale
Windows XP, PA
Hacking tools compete with legitimate software
Malicious hackers are producing easy to use tools that automate attacks to cash in on a boom in hi-tech crime.

On sale, say security experts, are everything from individual viruses to comprehensive kits that let budding cyber thieves craft their own attacks.

The top hacking tools are being offered for prices ranging up to 500.

Some of the most expensive tools are sold with 12 months of technical support that ensures they stay armed with the latest vulnerabilities.

Tool time

"They are starting to pop up left and right," said Tim Eades from security company Sana, of the sites offering downloadable hacking tools. "It's the classic verticalisation of a market as it starts to mature."

Malicious hackers had evolved over the last few years, he said, and were now selling the tools they used to use to the growing numbers of fledgling cyber thieves.

Headset and phone, Eyewire
When it comes to the hacking industry and level of business acumen there's no limit to what your money can buy
Paul Henry, Secure Computing

Mr Eades said some hacking groups offer boutique virus writing services that produce malicious programs that security software will not spot. Individual malicious programs cost up to 17 (25 euros), he said.

At the top end of the scale, said Mr Eades, were tools like the notorious MPack which costs up to 500.

The regular updates for the software ensure it uses the latest vulnerabilities to help criminals hijack PCs via booby-trapped webpages. It also includes a statistical package that lets owners know how successful their attack has been and where victims are based.

MPack has proved very popular with criminally minded groups and in late June 2007 managed to subvert more than 10,000 websites in one attack that drew on the tool.

Hacking groups also operate volume pricing schemes and discounts for loyal customers, he said.

"It's almost a play-by-play of good business practices of software marketing," he said. "When it comes to the hacking industry and level of business acumen there's no limit to what your money can buy."

Paul Henry, vice president of technology evangelism at Secure Computing, said the numbers of downloadable hacking tools was growing fast.

According to Mr Henry there were more than 68,000 downloadable hacking tools in circulation. The majority were free to use and took some skill to operate but a growing number were offered for sale to those without the technical knowledge to run their own attacks, he said.

But, he added, many hacking groups were offering tools such as Mpack, Shark 2, Nuclear, WebAttacker, and IcePack that made it much easier for unskilled people to get in to the hi-tech crime game.

Mr Henry said the tools were proving useful because so many vulnerabilities were being discovered and were taking so long to be patched.

Little risk

"MPack used more than 12 different vulnerabilities that were launched against any web browser that visited any compromised site," he said.

Many hacking groups were attracted to selling the kits because it meant they took little risk themselves if the malicious software was used to commit crimes.

"The only thing you are going to find is a disclaimer that this was distributed for educational purposes and the user accepts any responsibility for any misuse," he said.

The only risk the hacker groups faced in making the tools available was in having someone else steal them and offer them at a lower price. Already, he said, the sheer number of tools for sale was driving down prices.

Garry Sidaway, a senior consultant at security firm Tricipher, said the success of MPack and the attendant publicity was rumoured to be worrying its creators.

"It was made by a group of friends and they all have regular jobs," he said.

Mr Sidaway said the group would not lose much money if they did stop selling it because they made much more from other lines of business.

In particular, he said, the groups can sell information about unpatched or unknown vulnerabilities in software for thousands of pounds per bug.

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific