Justexploit kit

[SysAdMini]

We have seen an increasing number of sites that contain a new exploit kit.

features /characteristics of the kit :

-obfuscated script at /index.html
-3 exploits : MDAC, PDF, Java
-pdf exploit at /pdf.php
-java exploit at /files/sdfg.jar
-payload at /feedback.php
-control panel at /admin.php, title of login dialog is "Multiplex Corporation Ltd"

Today one of our members (thanks Mike) figured out the credentials for one site.
We were able to login and now we know the name of the kit. It is Justexploit.

Examples :
http://www.malwaredomainlist.com/mdl.php?search=justexploit&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=feedback.php%3Fpage&colsearch=All&quantity=50&inactive=on
http://wepawet.cs.ucsb.edu/view.php?hash=fb8d4c9c934c9b2e972f8210d4ec8f1d&t=1259356561&type=js

Here is a screenshot of the control panel.

[CM_MWR]

Hey Holger....

Any idea what they are targetting in Java?

I wonder because of the recent java update and little to no talk about anything new   

[cleanmx]

hi @all

to get them all:

http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&limit=0,1000&url=%jar

mostly: "Exploit:Java/CVE-2008-5353.B"

-- gerhard

[SysAdMini]

Hey Holger....

Any idea what they are targetting in Java?

I wonder because of the recent java update and little to no talk about anything new  

As Gerhard said - they exploit CVE-2008-5353.

The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".

Many people don't install Java updates, so it's a perfect attack vector. If you look at control panel statistics, you can see that they are very succesful.
Java exploit is the most successful exploit.

[CM_MWR]

Indeed, is why I asked about it, was early a.m. here when I asked, just being lazy I spose. 

[SysAdMini]

Poking at the Justexploit kit Part1
http://perpetualhorizon.blogspot.com/2009/12/poking-at-justexploit-kit-part-1.html

[SysAdMini]

Poking at the Justexploit kit Part2
http://perpetualhorizon.blogspot.com/2009/12/poking-at-justexploit-kit-part-2.html