GPack - not funny at all...

[sowhat-x]

So,this .rar package was assorted during late February,according to the timestamps... 
http://www.virustotal.com/analisis/307cf609589d6e10b7e42ced370d2efb

[sowhat-x]

Got kinda curious with the GPack results above,thereby,for the fun of it,
I thought I should upload few of the most common exploit-packs over at VirusTotal...
And here are the results/statistics at the time being.
GPack above still holds the 'record' though,with results at 12/33 (36.36%)...

FirePack 0.17 - rar package assembled during October 2007
Results: 20/33 (60.61%)
http://www.virustotal.com/analisis/8346f1bbbabc025200d59dd759775f88

ADPack 2 - rar package assembled during November 2007
Results: 23/33 (69.7%)
http://www.virustotal.com/analisis/c84839e46bb1245a029b2ada19e7104e

cry217 - rar package assembled during April 2008
Results: 16/33 (48.49%)
http://www.virustotal.com/analisis/475f3669fcc2d84a41bccd0f1d03ecbe

IcePack Platinum - rar package assembled during April 2008
Results: 25/33 (75.76%)
http://www.virustotal.com/analisis/517fdd410da1dfb4c44730776ed28d2a

PS1:Neosploit returns 3/33 (9.1%),
but my guess is that this happens because it's ELF executables there...
http://www.virustotal.com/analisis/28ebeb15a35cf63646fb3cd3bb5b39e8

PS2:'Assembled' equals to the timestamps of the included files,
not the moment that they were first released,"leaked" to the public etc...
For example,IcePack was released way earlier than what the timestamps reveal,
during previous spring or so...maybe even earlier...

[tjs]

What's teh point of detecting these exploit kits? It's better to just detect the malware that they drop or the exploits that they use.

Just my $0.02

TJS

[sowhat-x]

...or the exploits that they use.

That was exactly my question as well...because generally speaking,
it seems that the exploits used by them seem to be semi-detected...
What better than having their 'infection' php/html pages blocked directly at browsers' access?
The dropped malware can be changed numerous time per will,but the exploit-packs php code not...

[tjs]

To be perfectly honest, I still wonder if those exploit pages/scripts should be considered malware. Surely the binaries they drop are malware, but I'm not sure if the antivirus world should get involved with web browsers. It's like trying to secure email by protecting outlook (or whatever the vuln client the day is) from misformatted emails..

Maybe it's a better job for IDS or something.

I dunno.... Need to think about it some more.


TJS

[sowhat-x]

...but I'm not sure if the antivirus world should get involved with web browsers...

That's a really big discussion...and well,I'm certainly the least qualified to judge upon it,he-he...
Is it malware binaries/win32 executables the problem,or more generally,
all possible kinds of malicious code that gets executed...whatever form it might have?
What comes quickly to mind though,is that malicious .vbs scripts,or even batch files,
do have been in the past (and still continue...),to be added/detected by AV products...
Nowadays,it seems that their "popularity",has been replaced with .js and .php...
tomorrow,who knows... 

What I can say though with a great degree of certainty,
is that browser-based exploits are the first thing malware authors are after...
it's the easiest way for them to execute code in a remote system.
This "trend" doesn't seem that it's gonna fade away anytime soon...
for example,I just stumbled upon this 'minimalistic' package,fairly new,
completely script-based,and accordingly,completely 'undetectable' at the moment:

hxxp://0x00.ws/OpenZombie/

[sowhat-x]

Few more statistics...

infector by xod.0x88 - rar package assembled during October 2006
Results: 27/33 (81.82%)
http://www.virustotal.com/analisis/cb44648dc9a286b5baea5ce1a5cca092

tor - rar package assembled during March 2008
Results: 24/33 (72.73%)
http://www.virustotal.com/analisis/42d3786664eecb372e2daee6d38d2a7d

d1ez IFramer v1.8 - rar package assembled during December 2007
Results: 7/33 (21.22%)
http://www.virustotal.com/analisis/bd551a1270bb052d999646b8ffda2c7e

PS:Removed GPack package from above,
interested parties can get it from UploadMalware and or VirusTotal...
(and obviously the rest of php packs mentioned here as well...)

[sowhat-x]

le fiesta 1.8 - rar package assembled during June 2008
Results: 23/36 (63.89%)
http://www.virustotal.com/analisis/984168de06371561ea41e5087335726f