One in four hackers runs Opera to ward off other criminals

Hackers using multi-exploit attack "toolkits" take defensive measures of their own against other criminals, a security researcher said today.

"Exploit kit operators do use mainstream browsers, but they're much more likely to use Opera than the average user, because they know that the browser isn't targeted by other hackers," said Paul Royal, a principal security researcher with Atlanta-based Purewire.

While the most generous Web measurements peg Opera, a browser made by Norwegian company Opera Software, at a 2% share of the global market, 26% of the hackers who Purewire identified use the far-from-popular application.

Because of its small market share, few hackers bother to unleash exploits for Opera vulnerabilities, said Royal.

Purewire obtained this insight, and others, by infiltrating hackers' systems using a bug in the analytics software included with a pair of hacker toolkits, notably one dubbed "LuckySploit," said Royal. "We forged a 'refer' field and put in a little JavaScript," he explained, "and that revealed the hackers to us via their IP addresses."

Out of 51 exploit kit-using hackers, Purewire's tactic successfully identified the IP addresses of 15, as well as the browsers they ran. "We essentially did a code audit," said Royal. "Even criminals who attack others cannot architect reliable software," he added, talking about the vulnerabilities in the toolkits.

Most multi-strike attack kits, including LuckySploit, serve up a grab bag of exploits, including code that leverages vulnerabilities in Microsoft's Internet Explorer (IE), in ActiveX controls that IE uses, and in Adobe's Flash Player and Reader.

Criminals also try to hide from law enforcement by distancing themselves from the servers that host their exploit kits, said Royal. Of the 15 hackers Purewire identified, only two -- both with IP addresses traced to Latvia -- resided in the same country that also hosted the system containing their attack kit.

Most had at least one country between where they lived and where their malware-serving machine was located.

"This is a first stab," Royal said when asked what value could be placed on the information Purewire rooted out. "If we can discover the IP addresses of exploit kit operators, we can then turn that over to law enforcement."

Exploit toolkits are a prominent weapon in hacker arsenals, especially for "drive-by" attacks launched when unwary users are tricked into visiting Web sites by spam. Last month, for example, thousands of legitimate, but compromised, sites served up a multi-strike kit that included an exploit of a then-unpatched vulnerability in a Microsoft-made ActiveX control.

Microsoft frees Linux driver source code

Computerworld - Microsoft Corp.'s unprecedented release last week of more than 20,000 lines of driver code to the Linux community could put pressure on several top suppliers of closed-source drivers to make similar moves.

Observers note that virtualization vendor VMware Inc., Wi-Fi chip maker Broadcom Corp. and graphics chip maker Nvidia Inc. still decline to offer their Linux drivers under the General Public License, a free software license widely used in the open-source community.

Doing so would allow the drivers to be included in the open-source Linux kernel, making the installation process much smoother. It would also enable developers to tinker with and fix them.

Gordon Haff, an analyst at Illuminata Inc., said he doesn't expect Microsoft's move to persuade those vendors to open their drivers.

Graphics companies like Nvidia, he said, "have been taking heat over Linux drivers for years. But they see their driver technology as just too big a part of their competitive advantage to give much."

And VMware, as "the 800-pound gorilla," doesn't have to release its code, Haff added. "The pressure is more on the Linux distributors to work with VMware than the other way around."

Officials at VMware and Nvidia didn't respond to requests for comment. In a statement, Broadcom said that it "is working with the community to make this happen over the next several months."

Tom Hanrahan, director of Microsoft's Open Source Technology Center, said in a statement that submitting the code for inclusion in the Linux kernel marks "the first time we've released code directly to the Linux community."

The drivers enable Linux virtual machines to run on top of Microsoft's Hyper-V virtualization software. They are already available for enterprises in a patch and will be generally available in several months as part of the next major Linux kernel update, said Greg Kroah-Hartman, a longtime Linux developer at Novell Inc. and head of the Linux Driver Project, which works with manufacturers to submit kernel code to the open-source community.