Security Experts:

RIG Exploit Kit Source Code Leaked Online

An individual claiming to be one of the developers of the RIG exploit kit has leaked the source code for what appears to be a fairly recent version of the exploit kit.

The leaker, who initially attempted to sell access to the exploit kit on HackForums, was named a scammer by RIG’s main developer. On a different hacker forum, the leaker claimed to have contributed to the development of the exploit kit, but he had not been paid so he decided to sell the source code and a server database dump, according to a UK-based malware analyst who uses the online moniker MalwareTech.

After seeing that no one was taking him seriously, and after RIG’s main developer called him a scammer, the black hat created a Twitter account and published the source code allegedly wanting to “help malware analysts patch this.”

MalwareTech and other researchers have confirmed that the source code is legitimate, but they pointed out that it appears to be incomplete. The code is for the frontend and it doesn’t contain any exploits because the actual exploitation is done on backend servers, MalwareTech said.

While he was trying to sell access to RIG on HackForums, the alleged developer claimed the exploit kit included exploits for one Microsoft Silverlight, two Java, two Internet Explorer, and two Flash Player vulnerabilities.

Researchers at security firm Trustwave have analyzed the server database export and determined that it only covers roughly 1,200 infections caused by RIG. Data collected by Trustwave shows that the total number of infections that can be attributed to the exploit kit is approximately 418,000, with an exploitation rate of 33%.

“Following this leak, the crooks might get cold feet and try to stay under the radar to elude law enforcement's attention. As a result we'd expect to see less activity,” Trustwave researchers said in a blog post. “On the other hand, script kiddies may now use this source code to try and deploy their own infection schemes for quick and easy profit. One thing, though, is certain: the exploit kit scene is about to see another shift in power as the demand for these kinds of services will always be on the rise.”

The RIG exploit kit source code leak is the result of an internal conflict among cybercriminals and it will not have any serious consequences for regular users, a reputable researcher told SecurityWeek. The expert, who prefers not to be named, pointed out that the source code for the Sakura exploit kit was leaked in 2012 without any consequences.

The source code for several pieces of malware has been leaked over the past years. The list includes banking Trojans such as Zeus, KINS and Carberp, the Android RAT Dendroid, Pony Loader, and several point-of-sale Trojans.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.