Author Topic: LuckySploit, the right hand of Zeus  (Read 8261 times)

0 Members and 1 Guest are viewing this topic.

March 02, 2009, 02:47:58 pm
Read 8261 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 02, 2009, 07:45:38 pm
Reply #1

DiFor

  • Jr. Member

  • Offline
  • **

  • 19
not interesting sploit
1) remove all the random calls
Code: [Select]
...
//var d=Math.floor(Math.random()*a.length);
var d=a.length-2;
...
//var z=window.crypto.random(32);
var z=30;
...
//t=Math.floor(65536*Math.random());
t=100;
2) change date().gettime calls
Code: [Select]
//function BRN(){QUM(new Date().getTime())}
function BRN(){QUM("1235599644399")}
3) emulate vulnerable applets
Code: [Select]
...
//vers.push('f',check_flash_vuln());
vers.push('f',"9:0:115");
...
//vers.push('p',check_pdf_vuln());
vers.push('p',"800");
...
//vers.push('m',check_mdac_vuln());
vers.push('m',"4");
...
4) and final use navigator.IE6.WinXP_32_SP1 Malzilla template

#########

anything new and interesting. there is much more interesting things

March 03, 2009, 05:07:35 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 03, 2009, 06:25:01 pm
Reply #3

DiFor

  • Jr. Member

  • Offline
  • **

  • 19
I saw it. there mostly all built on one algorithm, but it is not interesting. too easy. carries no

March 23, 2009, 04:51:09 pm
Reply #4

sowhat-x

  • Guest
Finjan had a nice write-up upon LuckySploit few days ago by the way...
http://www.finjan.com/MCRCblog.aspx?EntryId=2213

March 25, 2009, 09:54:33 pm
Reply #5

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
The norwegian honeynet project also had a nice description of luckysploit:
http://www.honeynor.no/2009/02/07/a-closer-look-at-encrypted-javascripts/

April 10, 2009, 03:11:38 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day