LuckySploit, the right hand of ZeuS

LuckySploit is the name of a set of scripts (toolkit) designed to exploit different vulnerabilities and allow execution of binaries on the victim machine arbitrarily.

Currently, these scripts, subject to obfuscation, are being used by the botnet ZeuS to recruit zombies attack PCs through Drive-by-Download.

When accessing the web address, only displayed a blank page, but to check its source code is a code written in JavaScript like this:

The script is encrypted with the RSA algorithm. This information is displayed at the end of the code.

Another interesting fact is that the script is displayed only once, ie if you try to log back in to the same address, again to check the HTML source code, the script is no longer available.

Some of the domains that contain LuckySploit are reflected below:

r-state. com / equip /
trafffive .cn / wait /? t = 15
trafffive .cn / bm /? t = 15
directlink9 .cn / wait /? t = 15
directlink4 .cn / bm /? t = 15
directlink2 .cn / wait /? t = 15
directlink1 .cn / bm /? t = 15
directlink0 .cn / wait /? t = 15
superioradz .info/opis3 /? t = 2
superioradz .info/opis2 /? t = 2
rodexcom .org / parus /? t = 5
dvlorg .net / parus /? t = 25
top.sei-keine .com / u-store /? t = 1
statclick .net / main /? t = 1
deinglaube. com / images /
202.73.57.6 / tomi
federalreserve.banknetworks .net / bb /? t = 2
fuadrenal .com / myth /? t = 2
fuck-lady .com / prn / index. php
hello-to-you .net / rttz /? t = 6

It's worth noting that many of these URL's are active, therefore if you decide to access any of it, keep in mind the security measures appropriate to the case.

In some scripts, to desofuscarlo clearly read at the end of a message that says:

attack_level = 0;;
try (
f = 'Welcome to LuckySploit:) \ n TOASTED STI';

Thus, Zeus is adhering to its network equipment malicious infected computers.

Related information
Botnet Zeus. Mass propagation of his Trojan. Part two
Botnet Zeus. Mass propagation of his Trojan. Part one

Jorge Mieres