Phoenix Exploit’s Kit is a package with more continuity in crime scene crimeware. After all this tour is currently in the wild version 2.8 that, despite having a low activity since the last half of this year, remains one of the many Exploit Pack with greater preference for cyber-criminals.
Perhaps this “slack time” to have your response in high demand now has another crimeware of this style, which is arguably one of the players today: Black Hole Exploit Pack .
However, PEK has a similar licensing model, where the last version was released with an “alternative” to buy. This is Phoenix Exploit’s Kit 2.8 mini. Let us look briefly this alternative to crime which we could access through our Offensive Security Service CrimewareAttack.
The licensing model consists in the version Simple domain closed at a cost of USD 2.200, another version Multithreaded domain also closed to USD 2.700 and an extra-encryption service USD 40 (ReFUDing), already present from several versions back as part of the “added value”.
PEK Access Panel 2.8. Like previous versions, respects its policy of authentication through a single factor defined by a password that checks its integrity through its MD5 hash.
Basically this new version does not change its characteristics, at least in regards to its graphical interface and functionality in relation to previous versions. Each section shows the same flow crimeware and type of statistical information, minimalist yet concise, this being, though trivial, one of the main reasons for the adoption of Phoenix by cyber-criminals. Simply find the information they need to increase the level of success and attack strategies, and merge the functionality of this Exploit Pack with some Malware Kit as SpyEye or ZeuS.
What is the difference between full version and the mini version?
Basically, the business around licensing model above. In the case of the mini version, the model is subject to a domain under the simple mode, while the full version allows multitasking.
Perhaps this model does not say much in this way, but the reason for their existence is based on the possibility of using different business affiliates with different profiles from the full licensing model. In this way, criminals can expand its business coverage. While with the mini version is limited to a single user profile.
What is new about the exploits?
Basically not much. Everything happens for optimizing the code for exploits a success rate effective in the process of exploitation, adding the exploit for Java Runtime Environment to Trusted.
Also removed were the following exploits pre-compiled in version 2.7:
- Windows Help and Support Center Protocol Handler Vulnerability – CVE-2010-1885
- Integer overflow in the AVM2 abcFile parser in Adobe Flash Player – CVE-2009-1869
- Integer overflow in Adobe Flash Player 9 – CVE-2007-0071
- IEPeers Remote Code Execution – CVE-2009-0806
- Internet Explorer Recursive CSS Import Vulnerability – CVE-2010-3971
From M86 Security Lab have published this summer “Phoenix Exploit Kit (2.7) Continues to be updated“, describing the methodology of obfuscation that had already been using earlier versions. With this modification, the author sought to prevent monitoring of components of PEK and discover its structure, for example, during the research process.
Although it’s basically the same exploits (similar in all cases, including those incorporating other Exploits Pack in the wild), the author’s optimized for each version. In this case, includes the following exploits:
- Microsoft Data Access Components (MDAC) – CVE-2006-0003
- Adobe Reader LibTiff – CVE-2010-0188
- Adobe Reader Collab GetIcon – CVE-2009-0927
- Java SMB – CVE-2010-0746
- Java Runtime Environment Trusted – CVE-2010-0840
- Java Skyline Plug-in component in Oracle Java SE and Java for Business 6 – CVE-2010-3552
- Java Deployment Toolkit Component – CVE-2010-0886
Despite the optimization of the components for each version exploits, is striking and interesting that chain optimization and updating MDAC exploit remains the most domination, not only in this Exploit Pack it in any of the existing. What is the reason? Just a lack of maturity on the users (application, customers around the basic procedures update) that transforms him into a potential target and highly drinkable through this old, but effective vulnerability.
More information about Inside Phoenix Exploit’s Pack in other versions:
Phoenix Exploit’s Kit v2.1 Inside
Phoenix Exploit’s Kit v2.3 Inside
The graph shows some of the domains that the creators of Phoenix Exploit’s Kit used in 2011.
Review of the components that are part of Phoenix Exploit’s Kit 2.8 mini version
Simple statistics. The typical first screen displayed when accessing PEK. Display data of interest to cybercriminals uqe groups are behind its management: Browser (and version) most exploited, the number of compromised machines and exploits with the highest rate of success.
Advanced statistics. Information with a broader level of detail regarding compromised browsers and operating systems, along with information on the rate of success for each one of them.
Countries statistics. Information similar to the panels above but relevant data on the countries concerned.
Referer statistics. Information from reference sites to Phoenix Exploit’s Kit.
Upload. Exe files. Panel which is updated by the malware spread.
State of the art in Phoenix Exploit’s Kit (to 18/08/2010)
Includes up version 2.3r of Phoenix Exploit’s Kit v2.3r
Although some aspects of “subtle”, the truth is that virtually PEK changes in each version, and perhaps its simplicity of use is the key for which is still alive in a criminal environment where demand and competition is very strong. As in conventional business, but… the criminal side.
Crimeware Research TeamMalwareIntelligence | Crimeware Working Group
Leave a reply