A hacker attack kit has been retired from service by its criminal creators, most likely because it was priced too high compared to the competition, according to security researchers.
Last week, security analysts at RSA's FraudAction Research Labs said they had evidence that the makers of Neosploit, a well-known infection kit used by online criminals to apply multiple exploits against PCs, were abandoning the business.
RSA, which regularly monitored the forums and chat rooms where Neosploit's developers marketed their product, was confident that the group was giving up on the kit, though not on hacking. "Even we assume that this isn't necessarily the end of this group," said Sean Brady, a product marketing manager in RSA's ID and access assurance group, which includes the FraudAction lab.
In a blog post, RSA quoted a going-out-of-business message in Russian said to have originated with Neosploit's authors. "Unfortunately, supporting our product is no longer possible," RSA's translation read. "We apologise for any inconvenience, but business is business since the amount of time spent on this project does not justify itself. Now we will not be with you, but nevertheless we wish that your businesses will prosper for a long time!"
According to RSA, updates to Neosploit, which had a reputation for frequent updates, slowed this summer, with just one new version since early June. In April and May, Neosploit's makers released two updates.
RSA speculated that Neosploit's demise was driven by the same problems that face legitimate capitalism. "Our gut feeling is that their cost structure was out of whack given its functionality and the price of the competition," Brady said. "It was entirely about price point. Many kits do succeed. They've been the genesis of the growth of phishing [attacks] and Trojan horses."
Brady wouldn't hazard a guess about recent prices Neosploit's developers charged for the kit, saying only that: "It apparently did have a high cost." Others, however, have previously pegged the price at between US$1,000 and $3,000.
Roger Thompson, chief research officer of Czech Republic-based security vendor AVG Technologies, called the news of Neosploit's end "plausible."
"They were very vigorous at updating Neosploit, sometimes two or three times a month, and I haven't seen anything new from them for a couple of months now. That would explain it," he said.
Neosploit, which first appeared in 2007, was a follow-on to the earlier MPack, and a contemporary to another exploit kit, WebAttacker. Neosploit shared traits with other hacker tools in that it was modular and could be easily modified to include attack code aimed at the newest vulnerabilities in Windows, Internet Explorer or third-party software such as Apple's QuickTime. But it also boasted features new to the click-to-attack business, including a sophisticated statistical analysis of exploit success.
At times, Neosploit, which was always assumed to have been created by one or more Russian hackers, was linked to the notorious Russian Business Network (RBN), a malware and hacker hosting network once based in St. Petersburg.
Brady, however, said Neosploit's most distinguishing feature wasn't on the technical side. "The branding they had associated with it," he answered, when asked to describe what made Neosploit stand out. "The product worked as advertised, but it was more than anything a very credible brand."
Neither Thompson nor Brady expected the departure of Neosploit to dramatically change the security picture. "The Neosploit guys were somewhat innovative, so I'm perfectly happy to hear they're going out of business," Thompson said. "So the world is a little safer. But based on the increased activity we see, someone is making money somewhere."
"The market [for exploit kits] will continue," Brady said, "and [hackers] will continue to develop the latest and the greatest exploits. This is really no different than your average legitimate product, where one particular provider had a business model that didn't work."