Siberia Exploits Kit Features AV Scanner Module

Security researchers advise that, in an attempt to increase their success rate, the creators of the 'Siberia Exploits Kit' have added an AV scanning feature to their creation.

Siberia is an exploit toolkit originally spotted at the end of 2009. It is believed to be the successor of the Napoleon Exploit Pack, but it is similar in look and functionality to the more popular Eleonore kit.

Infected legit websites represent one of the primary conduits for malware distribution on today's threat landscape. Attackers exploit security flaws in order to inject their pages with rogue iframes or scripts.

These elements then take visitors through a series of redirects and eventually land them on an attack page created with one of the many exploit toolkits available.

Such pages attempt to exploit vulnerabilities in outdated versions of popular software like Java, Adobe Reader, Flash Player or even the browsers themselves.

If exploitation is successful, a piece of malware is dropped and installed on the targeted system. Because everything happens transparently to the victim, these atacks are dubbed drive-by downloads.

"Like our last post about Phoenix Exploit’s Kit, Siberia Exploit’s Kit author also emphasizes the issue of circumventing recognition by Anti-Virus and URL filtering services, as it contains a built in Anti-Virus checker," note researchers from M86 Security.

This feature provides similar functionality to VirusTotal, a popular online scanning service, which uses 43 signature-based antivirus engines to check if files are malicious.

Siberia Exploits Kit can't use VirusTotal, because its malware samples would immediately be sent to AV companies. Instead it uses a commercial underground service known as Scan4you.

Scan4you uses around 30 antivirus engines and charges 0.15 cents per scan. A license to use the service for a month costs $25 and an API is also provider for easier for remote file scanning.

M86 notes that it has previously seen detection evasion techniques used by Web exploits to hide from automated code analysis tools like Wepawet or JSunpack.