A spitting match between developers of the Rig Exploit Kit and one of its resellers resulted in a partial leak of the kit’s source code in a hacker forum.
Rig is less than a year old and is spread primarily in malvertising campaigns, pushing Flash, Java and Microsoft Silverlight exploits; some versions also push ransomware.
Experts, however, aren’t sure this will give birth to a rash of campaigns centered on Rig.
“I do not think this will be really noticeable,” said French exploit kit researcher Kafeine, who found the leak being advertised on a hacker board. He said the main pushers of Rig do no operate on the same forum.
“Following this leak, the crooks might get cold feet and try to stay under the radar to elude law enforcement’s attention,” said a report posted yesterday by researchers at Trustwave SpiderLabs. “As a result we’d expect to see less activity. On the other hand, script kiddies may now use this source code to try and deploy their own infection schemes for quick and easy profit.”
A U.K. researcher known as MalwareTech said the leaker is likely a Rig Exploit Kit reseller who tried to scam potential buyers by charging prices 40 percent higher than “official” Rig sellers, as well as asking $3,000 for access to a private forum that did not exist, according to screenshots from his website.
“It seems like the RIG owner was less than pleased with the reseller’s antics because the next day, in a conversation with another member, the owner declared that he had suspended the reseller for attempting to scam customers, which isn’t surprising given he was requesting that people pay him $3000 for access to an imaginary private forum,” MalwareTech wrote on his website.
No honor among thieves.
Undaunted, the reseller took to Twitter creating an account that riffed on researchers from Malware Must Die. In a series of tweets, the reseller said he was in possession of Rig source code and a database dump; he also provided a download link. MalwareTech said the password-protected file was deleted after a couple dozen downloads. He said, however, that he confirmed the leak was legitimate with three other sources. The leak, however, is incomplete and it appears the reseller leaked only files he had access to, Trustwave SpiderLabs said.
“In addition to parts of the source code, the contents of the leak included a partial export of the server database,” Trustwave said. Its researchers thus had access to infection stats and saw only about 1,200 since the leak.