Malware Domain List

Malware Related => Malware Analysis => Topic started by: SysAdMini on November 28, 2009, 05:25:29 pm

Title: Justexploit kit
Post by: SysAdMini on November 28, 2009, 05:25:29 pm

We have seen an increasing number of sites that contain a new exploit kit.

features /characteristics of the kit :

-obfuscated script at /index.html
-3 exploits : MDAC, PDF, Java
-pdf exploit at /pdf.php
-java exploit at /files/sdfg.jar
-payload at /feedback.php
-control panel at /admin.php, title of login dialog is "Multiplex Corporation Ltd"

Today one of our members (thanks Mike) figured out the credentials for one site.
We were able to login and now we know the name of the kit. It is Justexploit.

Examples :
http://www.malwaredomainlist.com/mdl.php?search=justexploit&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=feedback.php%3Fpage&colsearch=All&quantity=50&inactive=on
http://wepawet.cs.ucsb.edu/view.php?hash=fb8d4c9c934c9b2e972f8210d4ec8f1d&t=1259356561&type=js

Here is a screenshot of the control panel.

(http://img69.imageshack.us/img69/8492/justexploit.th.jpg) (http://img69.imageshack.us/img69/8492/justexploit.jpg)

Title: Re: Justexploit kit
Post by: CM_MWR on November 29, 2009, 08:27:27 am

Hey Holger....

Any idea what they are targetting in Java?

I wonder because of the recent java update and little to no talk about anything new   ???

Title: Re: Justexploit kit
Post by: cleanmx on November 29, 2009, 09:19:58 am

hi @all

to get them all:

http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&limit=0,1000&url=%jar

mostly: "Exploit:Java/CVE-2008-5353.B"

-- gerhard

Title: Re: Justexploit kit
Post by: SysAdMini on November 29, 2009, 01:36:29 pm

Quote from: CM_MWR on November 29, 2009, 08:27:27 am

Hey Holger....

Any idea what they are targetting in Java?

I wonder because of the recent java update and little to no talk about anything new   ???

As Gerhard said - they exploit CVE-2008-5353 (http://secunia.com/advisories/cve_reference/CVE-2008-5353/).

Quote

The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".

Many people don't install Java updates, so it's a perfect attack vector. If you look at control panel statistics, you can see that they are very succesful.
Java exploit is the most successful exploit.

Title: Re: Justexploit kit
Post by: CM_MWR on November 29, 2009, 02:28:32 pm

Indeed, is why I asked about it, was early a.m. here when I asked, just being lazy I spose.  :D

Title: Re: Justexploit kit
Post by: SysAdMini on December 07, 2009, 08:05:31 am

Poking at the Justexploit kit Part1
http://perpetualhorizon.blogspot.com/2009/12/poking-at-justexploit-kit-part-1.html

Title: Re: Justexploit kit
Post by: SysAdMini on December 08, 2009, 09:16:29 pm

Poking at the Justexploit kit Part2
http://perpetualhorizon.blogspot.com/2009/12/poking-at-justexploit-kit-part-2.html