Author Topic: Justexploit kit  (Read 8972 times)

0 Members and 1 Guest are viewing this topic.

November 28, 2009, 05:25:29 pm
Read 8972 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
We have seen an increasing number of sites that contain a new exploit kit.

features /characteristics of the kit :

-obfuscated script at /index.html
-3 exploits : MDAC, PDF, Java
-pdf exploit at /pdf.php
-java exploit at /files/sdfg.jar
-payload at /feedback.php
-control panel at /admin.php, title of login dialog is "Multiplex Corporation Ltd"

Today one of our members (thanks Mike) figured out the credentials for one site.
We were able to login and now we know the name of the kit. It is Justexploit.

Examples :
http://www.malwaredomainlist.com/mdl.php?search=justexploit&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=feedback.php%3Fpage&colsearch=All&quantity=50&inactive=on
http://wepawet.cs.ucsb.edu/view.php?hash=fb8d4c9c934c9b2e972f8210d4ec8f1d&t=1259356561&type=js

Here is a screenshot of the control panel.

Ruining the bad guy's day

November 29, 2009, 08:27:27 am
Reply #1

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
Hey Holger....

Any idea what they are targetting in Java?

I wonder because of the recent java update and little to no talk about anything new   ???

November 29, 2009, 09:19:58 am
Reply #2

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem

November 29, 2009, 01:36:29 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Hey Holger....

Any idea what they are targetting in Java?

I wonder because of the recent java update and little to no talk about anything new   ???

As Gerhard said - they exploit CVE-2008-5353.
Quote
The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".

Many people don't install Java updates, so it's a perfect attack vector. If you look at control panel statistics, you can see that they are very succesful.
Java exploit is the most successful exploit.
Ruining the bad guy's day

November 29, 2009, 02:28:32 pm
Reply #4

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
Indeed, is why I asked about it, was early a.m. here when I asked, just being lazy I spose.  :D

December 07, 2009, 08:05:31 am
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

December 08, 2009, 09:16:29 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day