Phoenix Exploit’s Kit v2.1 Inside
The crimeware is one of the most used by cyber criminals to gather intelligence enabling the identification of trends and customs around by people who use the Internet daily.
This seeks to obtain relevant information on time and complete details of the victims who, further, they allow criminals to know about which factors to emphasize their "improvements" in the web application, and botmaster think of any strategy for promoting malware.
Why? Get information processed (intelligence) is key because it provides them with real information on the different technologies used by people. This type of maneuver is widely used by criminals. Ever wondered why Koobface spread by social networks?
For example, most of this style crimeware collect data on:
Currently PEK development is in its version 2.3r, this being a preliminary version to 2.4 and is in its stage of "testing" since mid-August 2010. The latest "stable" version is 2.3.
However, this post is about version 2.1 of Phoenix Exploit's Kit, and see that from the visual point of view has not changed in its previous or subsequent changes.
This seeks to obtain relevant information on time and complete details of the victims who, further, they allow criminals to know about which factors to emphasize their "improvements" in the web application, and botmaster think of any strategy for promoting malware.
Why? Get information processed (intelligence) is key because it provides them with real information on the different technologies used by people. This type of maneuver is widely used by criminals. Ever wondered why Koobface spread by social networks?
For example, most of this style crimeware collect data on:
- Type and version of platforms. Let us know what operating systems used and the most vulnerable.
- Type and version of browsers. Seeks to understand the same feature as above.
- Countries affected. It enables computers to know the amount of victims in each country. Thus, the Botmaster could discriminate the spread of malware focusing its promotion to particular countries.
Currently PEK development is in its version 2.3r, this being a preliminary version to 2.4 and is in its stage of "testing" since mid-August 2010. The latest "stable" version is 2.3.
However, this post is about version 2.1 of Phoenix Exploit's Kit, and see that from the visual point of view has not changed in its previous or subsequent changes.
Default has 10 exploits, which are:
- Adobe Reader newPlayer CVE-2009-4324
- Java HsbParser.getSoundBank (GSB) CVE-2009-3867
- Adobe Flash 10 CVE-2009-1869
- Adobe Reader Collab GetIcon CVE-2009-0927
- Java Runtime Environment (JRE) CVE-2008-5353
- Adobe Reader util.printf CVE-2008-2992
- IE SnapShot Viewer ActiveX CVE-2008-2463
- Adobe Reader CollectEmailInfo CVE-2007-5659
- Adobe Flash 9 CVE-2007-0071
- IE MDAC CVE-2006-0003
This version swept the feature Phoenix Triple System incorporated in version 1.4, which is basically an encryption scheme for binary executables that are disseminated. The purpose of this is hindering the process of analysis of the malware.
It consists of six modules of which 4 provide relevant information for each computer that is part of the botnet.
It consists of six modules of which 4 provide relevant information for each computer that is part of the botnet.
Simple statistics
It's an overview of data collected, through which information is displayed on browsers that have the highest percentage of successful exploitation detailing the number of visits in each of them, total number of visits and exploits that owns the package. Here is an updated version where he incorporated some exploits
It's an overview of data collected, through which information is displayed on browsers that have the highest percentage of successful exploitation detailing the number of visits in each of them, total number of visits and exploits that owns the package. Here is an updated version where he incorporated some exploits
Advanced statistics
Basically has a level of detail on the affected operating systems and browsers, incorporating as useful data version of each of them. In this case, committed three operating systems are Windows XP, Vista and Seven, respectively, and with a minimum compared to these, but higher than Windows ME, 2000 and 2003 platforms are Linux.
Basically has a level of detail on the affected operating systems and browsers, incorporating as useful data version of each of them. In this case, committed three operating systems are Windows XP, Vista and Seven, respectively, and with a minimum compared to these, but higher than Windows ME, 2000 and 2003 platforms are Linux.
Interestingly, in terms of browsers, the three that have a higher rate of vulnerability are Firefox 3.6, InternetExplorer 8 and 7 respectively.
Countries statistics
Information related to the countries which are the compromised computer. The detail of this information is in the number of visitors from certain countries and the number of successful exploits, also discriminated against by country.
Referers statistics
Information from reference sites to Phoenix Exploit's Kit The main feature is that the pattern followed by PEK is referencing from porn sites from which the browser operates through some of the pre-compiled exploits in the package. This module shows the list of pages, the number of visits per page and the number of exploits that have been successful with an average expressed in percentages.
Information from reference sites to Phoenix Exploit's Kit The main feature is that the pattern followed by PEK is referencing from porn sites from which the browser operates through some of the pre-compiled exploits in the package. This module shows the list of pages, the number of visits per page and the number of exploits that have been successful with an average expressed in percentages.
The list shows the version used for this article is very long, but is complete on the following link: PEK v2.1 Referers List.
Upload .exe
This module is to allow updating to spread malicious code. Usually only change every time you submit the executable binary encryption processes Phoenix Triple System service, or when they change their strategy botmaster infection according to new targets for malware. Affiliate System change that spread their own malware for example.
This module is to allow updating to spread malicious code. Usually only change every time you submit the executable binary encryption processes Phoenix Triple System service, or when they change their strategy botmaster infection according to new targets for malware. Affiliate System change that spread their own malware for example.
In this case, PEK is used to propagate a version generated of the trojan ZeuS:
- exe.exe (e9325bf1a8286bdbb2e8d7ce08e5fa20)
In the White paper called Phoenix Exploit's Kit. From the mythology to a criminal business can obtain more information on the different versions of this crimeware.
Información relacionada
Campaign infection through Phoenix Exploit's Pack
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Phoenix Exploit’s Kit. Otra alternativa para el control de botnets
Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher
0 comentarios:
Post a Comment