The End of Neosploit?

Categories: Fraud Intelligence

The first and most important thing when trying to grow a pool of malware-infected PCs is the infection stage. The goal is to infect as many users as possible, as quickly as possible — and remain undetected for as long as possible.

Neosploit is a brand that could be relied upon to solve that problem rather well. Designed to ease the infection stage, Neosploit is an infection kit which exploits numerous system vulnerabilities and infects PCs worldwide with any type of malware. Neosploit checks “candidate” PCs in order to find vulnerabilities, and once these are found, the PC will be infected with the malware of the criminal’s choice.

However, the RSA FraudAction Research Labs recently received information indicating that we may soon see the last of this “Neosploitation”.

Background: the Growth of Neosploit

Neosploit is currently the most advanced infection kit used by online criminals. You could say that it is the successor of well-known infection kits such as MPack, Icepack and others. Like all its predecessors, it is sold on the Internet “underground” to online criminals. And Neosploit is not at all new: It has already gained a lot of media attention and blogging coverage, and is widely spoken-of.

Neosploit began acquiring its popularity with version 2.0.xx, when it made its first mark as a very scalable infection kit. Its reliability, scalability and efficiency all contributed to the growth and adoption of Neosploit, and in April 2008 the Neosploit development team launched Neosploit version 3.0.0, introducing numerous new and improved features. Among the noticeable improvements was an improved statistical engine, enhanced configurability and, of course, an improved exploitation package.

Neosploit infection rate statistics
Neosploit infection rate statistics (click image for full size)

Neosploit’s Software versions

Since April’s major release, the Neosploit development team has continued its work, releasing minor versions and supporting their customers in order to rapidly improve the product. The release cycle was accelerated and new versions started arriving at an almost bimonthly rate.

Neosploit's release notes
Neosploit’s release notes

New features were added, previous features improved, and new customers eagerly signed-up. Support was improved: we even became aware of the creation of an online forum for customer Q & A! Truly, all the hallmarks of a fully-functional and customer-centric business.

Financial problems

In mid-July, however, evidence showed that Neosploit’s successful business was running into problems. It is likely that Neosploit was finding it difficult to sustain its new customer acquisition rate, and that its existing customers were not generating enough revenue to sustain the prior rate of development. These problems appear to have been too much of a burden, and we now believe that the Neosploit development team has been forced to abandon its product.

Like any responsible business, the Neosploit team is trying to be remembered as a good business that might one day return. Our sources reported that they took the time and effort to part properly with an “out of business” announcement.

out of business
(click image for full size)

Or as the translation goes:

“Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself.

We tried hard to satisfy our clients’ needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business.

Now we will not be with you, but nevertheless we wish that your businesses will prosper for a long time!
Good luck all,
The Neosploit Team!”

Whether or not Neosploit will actually cease its business, and whether or not it will return, is a question that only time can answer. However, there’s no doubt that when the demand is high enough someone will step up to the plate and fulfill the need for a professional malware infection kit — Neosploit or not.

RSA FraudAction Research Labs

The RSA FraudAction Research Lab is made up of some of RSA's most experienced internet security researchers, engineers and intelligence professionals with expertise in vulnerability research, reverse engineering and in-depth malware analysis. In this blog we report real-time developments in electronic crime, those who perpetrate it and the tools and methods they use. Research Lab blog posts bring you this diverse team's unprecedented insight, findings and opinions on topics including Underground Economy and fraud trends, fresh news from the world of cybercrime, information about Trojans, Phishing techniques, Botnets and how fraud from the online realm touches day-to-day life in the real world. Subscribe to The RSA Fraud Action Research Lab's RSS feed