Hackers shut down Neosploit attack kit

Computerworld - A noted hacker attack kit has been retired from service by its criminal creators, most likely because it was priced too high compared to the competition, researchers said today.

Last week, security analysts at RSA's FraudAction Research Labs said they had evidence that the makers of Neosploit, a well-known infection kit used by online criminals to apply multiple exploits against PCs, -- were abandoning the business.

RSA, which regularly monitored the forums and chat rooms where Neosploit's developers marketed their product, was confident that the group was giving up on the kit, though not on hacking. "Even we assume that this isn't necessarily the end of this group," said Sean Brady, a product marketing manager in RSA's ID and access assurance group, which includes the FraudAction lab.

In its blog post, RSA quoted a going-out-of-business message in Russian said to have originated with Neosploit's authors. "Unfortunately, supporting our product is no longer possible," RSA's translation read. "We apologize for any inconvenience, but business is business, since the amount of time spent on this project does not justify itself. Now we will not be with you, but nevertheless we wish that your businesses will prosper for a long time!"

According to RSA, updates to Neosploit, which had a reputation for frequent updates, slowed this summer, with just one new version since early June. In April and May, Neosploit's makers released two updates.

RSA speculated that Neosploit's demise was driven by the same problems that face legitimate capitalism. "Our gut feeling is that their cost structure was out of whack given its functionality and the price of the competition," Brady said. "It was entirely about price point. Many kits do succeed. They've been the genesis of the growth of phishing [attacks] and Trojan horses."

Brady wouldn't hazard a guess about recent prices Neosploit's developers charged for the kit, saying only that "it apparently did have a high cost." Others have previously pegged the price at $1,000 to $3,000.

Roger Thompson, chief research officer of Czech Republic-based security vendor AVG Technologies, said via instant message that the news of Neosploit's end was "plausible."

"They were very vigorous at updating Neosploit, sometimes two or three times a month, and I haven't seen anything new from them for a couple of months now. That would explain it," Thompson said.

Neosploit, which first appeared in 2007, was a follow-on to the earlier MPack, and a contemporary to another exploit kit, WebAttacker. Neosploit shared traits with other hacker tools in that it was modular and could be easily modified to include attack code aimed at the newest vulnerabilities in Windows, Internet Explorer or third-party software such as Apple Inc.'s QuickTime. But it also boasted features new to the click-to-attack business, including a sophisticated statistical analysis of exploit success.