LuckySploit, the right hand of Zeus

[SysAdMini]

http://evilfingers.blogspot.com/2009/02/luckysploit-right-hand-of-zeus.html

[DiFor]

not interesting sploit
1) remove all the random calls

Code: [Select]

...
//var d=Math.floor(Math.random()*a.length);
var d=a.length-2;
...
//var z=window.crypto.random(32);
var z=30;
...
//t=Math.floor(65536*Math.random());
t=100;2) change date().gettime calls

Code: [Select]

//function BRN(){QUM(new Date().getTime())}
function BRN(){QUM("1235599644399")}3) emulate vulnerable applets

Code: [Select]

...
//vers.push('f',check_flash_vuln());
vers.push('f',"9:0:115");
...
//vers.push('p',check_pdf_vuln());
vers.push('p',"800");
...
//vers.push('m',check_mdac_vuln());
vers.push('m',"4");
...4) and final use navigator.IE6.WinXP_32_SP1 Malzilla template

#########

anything new and interesting. there is much more interesting things

[SysAdMini]

In case you haven't noticed :

you can find Luckysploit urls in the list.

http://www.malwaredomainlist.com/mdl.php?sort=Date&search=Luckysploit&colsearch=All&ascordesc=DESC&quantity=50&page=0

[DiFor]

I saw it. there mostly all built on one algorithm, but it is not interesting. too easy. carries no

[sowhat-x]

Finjan had a nice write-up upon LuckySploit few days ago by the way...
http://www.finjan.com/MCRCblog.aspx?EntryId=2213

[mercutio]

The norwegian honeynet project also had a nice description of luckysploit:
http://www.honeynor.no/2009/02/07/a-closer-look-at-encrypted-javascripts/

[SysAdMini]

http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-rbn-hacks-p2.html