Despite being reported as “out of business” in late July/August, (see this blog, and this article as well), Neosploit, one of the most widely used tools by cybercriminals, clearly hasn’t ceased to exist . In fact, we have recently confirmed a highly enhanced Neosploit 3.1 installation to be out and about, and serving Malweb to hundreds of legitimate Web sites worldwide. We are currently working with law enforcement from around the globe to identify infections and inform organizations.
It’s clear that Neospolit actually planned to create Neosploit 3.1 and has actually made it available for at least the last few weeks on a significant scale.
Another interesting thing to note here is that the recent increase in PDF exploits can hardly be attributed to some new toolkit or older kits attempting to capitalize on the toolkit market, but actually the work of this new 3.1 version. See statistics from an active Neosploit attack server below:
What does all this mean? It’s a truly notable instance where the actual business side of running cybercrime operations pulled a fast one on the thousands of experts tasked with following the latest Web threats. They not only see the profitability of investing in development of newer versions – releasing cybercrime tools much like that of a typical software company. And it’s all proven by their greatly enhanced version of Neosploit 3.1 that was never anticipated by even the largest of security vendors. Instead, security vendors thought newly enhanced PDF exploits (actually a large part of Neosploit’s punch) was actually a new trend within itself – when actually it’s direct from Neosploit.
I would keep an eye on developments in the eCrime business market, for the rock-star of the Malweb toolkits to just disappear one day and declare retirement – does not really fit in to what is really happening in the business. Although the attempt to go under the radar has been greatly aided by reports of security researchers that the group has disbanded, it was hard to believe that they really went under with such a successful brand name and business behind it.
I’ll be covering some of the developments in Neosploit 3.1 at the upcoming BlueHat conference at Redmond next month, so if you are fortunate enough to get there – look for the opening talk.