One of these is a Apache 2.x module for automated mass iFrame injection for which Webroot's Dancho Danchev has recently spotted an underground market advertisement.
"The Apache 2.x based stealth module is capable of inserting and rotating iFrames on all pages at a particular website hosted on the compromised server. The process will only work with a cookie+unique IP in an attempt by the cybercriminal behind the kit to make the process of analyzing the module harder to perform. The module would also not reveal the iFrame URL to search engines, Google Chrome and Linux users, as well as local IP," he shares, adding that this makes it virtually impossible for a webmaster to remove the infection from their Web site.
The module is for sale for $1,000, and in order to incite buyers, the seller offers statistics that apparently prove that the ROI is good.
"Thousands of users continue installing and purchasing fake antivirus software products, driving a steady flow of income to the accounts of the cybercriminal(s) operating these campaigns," he points out. "Moreover, the statistics also indicate that thousands of users, visiting their favorite and trusted websites, are getting exploited through client-side exploits like the ones served by the market leading Black Hole Exploit Kit, thanks to the malicious Apache 2 module."
The seller also reveals in the ad that the module has already been successfully use in a number of security incidents across the globe.