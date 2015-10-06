(Corrects spelling in paragraphs 5 and 10 to Talos instead of
Telos)
By Joseph Menn
SAN FRANCISCO Oct 6 Cisco Systems Inc
said it had managed to disrupt the spread of one of the most
pernicious systems for infecting Internet users with malicious
software such as so-called ransomware, which demands payment for
decrypting users' data.
The investigators from Cisco's Talos security unit were
looking at the Angler Exploit Kit, which analysts at several
companies say has been the most effective of several kits at
capturing control of personal computers in the past year,
infecting up to 40 percent of those it targeted.
They found that about half of computers infected with Angler
were connecting to servers at a hosting provider in Dallas,
which had been hired by criminals with stolen credit cards. The
provider, Limestone Networks, pulled the plug on the servers and
turned over data that helped show how Angler worked.
The research effort, aided by carrier Level 3 Communications
, allowed Cisco to copy the authentication protocols the
Angler criminals use to interact with their prey. Knowing these
protocols will allow security companies to cut off infected
computers.
"It's going to be really damaging to the attacker's
network," Talos manager Craig Williams told Reuters ahead of the
release of the report.
Cisco said that since Limestone pulled the plug on the
servers, new Angler infections had fallen off dramatically.
Limestone's client relations manager told Reuters his
company had unwittingly helped the spread of Angler before the
Cisco investigation.
Often sold in clandestine Internet forums or in one-to-one
deals, exploit kits combine many small programs that take
advantage of flaws in Web browsers and other common pieces of
software. Buyers of those kits must also arrange a way to reach
their targets, typically by sending spoof emails, hacking into
websites or distributing malicious advertisements.
Once they win control of a target's computer, exploit kit
buyers can install whatever they want, including so-called
ransomware. This includes a number of branded programs, also
sold online, that encrypt users' computer files and demand
payment to release them.
Talos estimated that if three percent of infected users paid
the ransom averaging $300, the criminals that had used the
Limestone servers to spread Angler could have made about $30
million a year.
(Editing by Miral Fahmy)