Tag Archives: Exploit Kit

KaiXin Exploit Kit Evolutions

05/12/2012Reverse EngineeringCVE-2011-3544, CVE-2012-0507, CVE-2012-0754, CVE-2012-1723, CVE-2012-1889, CVE-2012-4681, CVE-2012-5076, EK, Exploit Kit, Java, Java 0day, KaiXin, Microsoft, Oracle, Oracle Java 0day, Reader, Reader 0daywow

Beginning August, Kahu Security discovered a new Chinese named KaiXin EK (Exploit Kit). This exploit kit was using, like his brother in blood Gong Da (Gondad) EK, javascript obfuscation “Yszz vip“.

The August version of KaiXin was supporting:

CVE-2011-3544 : An Oracle Java vulnerability fixed during October 2011 CPU.
CVE-2012-0507 : An Oracle Java vulnerability fixed during February 2012 CPU.
CVE-2012-1723 : An Oracle Java vulnerability fixed during June 2012 CPU.
CVE-2012-0754 : An Adobe Reader vulnerability fixed in APSB12-03.
CVE-2012-1889 : An Microsoft XML Core Service vulnerability fixed in MS12-043.

November version of KaiXin has involve by removing support of Oracle Java CVE-2012-0507 and CVE-2012-0754 vulnerabilities, and adding support of Oracle Java CVE-2012-1723 (fixed in Jun 2012 CPU), of Oracle Java CVE-2012-4681 (fixed in End August Oracle Security Alert) and of Oracle Java CVE-2012-5076 (fixed in October 2012 CPU).

Here under a VirusTotal analysis of all involved files:

gS19tbEF.jpg (eef74c38121c225ab4d7f1d2bbb0369a) – 9/46 : CVE-2011-3544
lXjOhqg.jpg (16e2c0a9f6636f9698e4dbe2f56551a9) – 22/46 : CVE-2012-1723
obDb9.jpg (ac8085d9ec48770511c82065d6947eb7) – 27/41 : CVE-2012-4681
MMWYD.jpg (684acb532179d99733273b79c4382b39) – 5/46 : CVE-2012-5076
WysBRr.html (f018e5adf65c0841e58ba9c69703e6d4) – 6/45 : CVE-2012-1889
JSZlR.html (7282d761c60541ad3edf7e480807bcb6) – 3/46 : CVE-2012-1889
rar.css (c11b39439a1eda6923feefcad3993d22) – 18/43 : HEUR:Trojan.Win32.Generic
top.html (13a5c097c74012a6f16fe9a866bee74e) – 2/46 : KaiXin.A

The following diagram describe you the way November version of KaiXin EK is working.

Cool Exploit Kit Remove Support of Java CVE-2012-1723

02/12/2012Reverse EngineeringCool, EK, Exploit Kit, Java, Oraclewow

Beginning November, @Kafeine discovered that Cool EK (Exploit Kit) had integrate an exploit for a Oracle Java vulnerability fixed in 7U9. The new exploit was exploiting CVE-2012-5076 vulnerability through the “new.jar” file.

November version of Cool EK was supporting :

CVE-2011-3402 : A Win32 (32size_font.eot – 12/46) and a Win64 version (64size_font.eot – 8/42). This Microsoft TrueType font parsing engine vulnerability was first discovered exploited in Stuxnet.
CVE-2012-1723 : An Oracle Java vulnerability fixed during June 2012 CPU. This vulnerability is exploited through “file.jar” 18/46.
CVE-2012-5076 : An Oracle Java vulnerability fixed during October 2012 CPU and discovered exploited in the wild by @Kafeine. This vulnerability is exploited through “new.jar” 28/46.
CVE-2010-0188 : An Adobe Reader vulnerability fixed in APSB10-07. This vulnerability is exploited through “pdf_new.php” 26/46.
CVE-2011-2110 : An Adobe Flash vulnerability fixed in APSB11-18. This vulnerability is exploited through “flash.swf” 18/46.
CVE-2011-0611 : An Adobe Flash vulnerability fixed in APSB11-07. This vulnerability is exploited through “field.swf” 19/46 and “score.swf” 13/45.
“pdf_old.php” 21/41 is exploiting a cocktail of vulnerabilities in Adobe Reader (CVE-2007-5659 / CVE-2008-2992 / CVE-2009-0927 / CVE-2009-4324).

The following diagram describe you the way November version of Cool EK was working.

Since few days, Cool EK has involve by removing support of Oracle Java CVE-2012-1723 vulnerability, replacing “new.jar” file with a “java.php” streamed file. The new “java.php” is only catched by 3/44 anti-viruses on VirusTotal. November version, aka “new.jar” was catched by 28/46 anti-viruses on VirusTotal.

In November version “file.jar” requested “myfile.dll” through “/r/f.php?k=1&e=0&f=0” request and “new.jar” requested the same DLL file through “/r/f.php?k=2&e=0&f=0” request. All these requests have been replaced, in the December version, with a unique request to “/r/f.php?k=1“.

The following diagram describe you the way December version of Cool EK is working.

Gong Da / Gondad Exploit Pack Add Adobe Flash CVE-2012-1535 Support

24/11/2012Reverse EngineeringAdobe, EK, Exploit Kit, Flash, Gondad, Gong Dawow

Gong Da exploit kit is involving, after integration of the CVE-2012-5076 Java vulnerability (Java Applet JAX-WS) one week ago, the EK is now preparing integration for Adobe Flash vulnerability CVE-2012-1535 fixed in APSB12-18 patch.

This new version was discovered on “hxxp://coa.ains.co.kr/css/css.html” and on “hxxp://www.dcpccdrw.com/asdf/index.html” web sites who is actually still online.

“coa.ains.co.kr” seem to be a legit web site and is hosted on 221.143.50.201, AS9318, in South Korea. “dcpccdrw.com” is hosted on 174.37.172.69, AS36351, in US. “dcpccdrw.com” domain name was created the 2012-11-23, through name.com registrar, for “tao wen ([email protected])“.

“index.html” and “css.html” file containing JavaScript code are obfuscated by “JSXX VIP JS Obfuscator“.

After de-obfuscation of the HTML files you can see that Gong Da Pack has involve to the following diagram.

Gong Da / Gondad Exploit Pack Add Java CVE-2012-5076 support

17/11/2012Reverse EngineeringEK, Exploit Kit, Gondad, Gong Da, Java, Oraclewow

You may have read my first blog post regarding the evolutions of Gong Da exploit kit, who has involve in a more complex EK by supporting most of the latest Oracle Java vulnerabilities like CVE-2011-3544 (Oracle Java Rhino exploit), CVE-2012-4681 (Oracle Java August 0day), CVE-2012-0507 (another Oracle Java exploit), CVE-2012-1723 (another Oracle Java exploit) and CVE-2012-1889 (Microsoft XML Core Services). Some previous versions of Gong Da EK had also support for CVE-2011-2140 (Adobe Flash Player) and CVE-2012-0003 (Windows Media), but it seem that the new version don’t use them anymore.

After Cool EK and BlackHole EK, Gong Da EK has integrate the exploitation of the Java vulnerability aka CVE-2012-5076 (Java Applet JAX-WS). This vulnerability, patched in version 7U9 of Oracle Java is affecting all version of Oracle Java from 7 to 7U7.

This new version was discovered on “hxxp://rdp.nhgdeerw.com/rdp/index.html” a web site how is actually still online.

“rdp.nhgdeerw.com” is hosted on 173.208.189.170, AS32097, in US and “wangmazz.com” domain name was created the 2012-11-17, through name.com registrar, for “tao we ([email protected])“.

The “index.html” file containing JavaScript code obfuscated by “JSXX VIP JS Obfuscator“ is recognized only by 8 on 44 anti-viruses on VirusTotal.com.

/*Encrypt By ndtw.wmdottw.com’s JSXX 0.44 VIP*/

After de-obfuscation of the “index.html” file you can see that Gong Da Pack has involve to the following diagram.

Here under some information s regarding the different files:

MWCxT0.jpg (aka CVE-2012-5076) : 2/44 on VirusTotal.com
aWxsX0.jpg (aka CVE-2011-3544) : 7/44 on VirusTotal.com
kCyrwe1.jpg (aka CVE-2012-0507) : 10/44 on VirusTotal.com
RQnRD3.jpg (aka CVE-2012-1723) : 21/44 on VirusTotal.com
pujF8.jpg (aka CVE-2012-4681) : 28/44 on VirusTotal.com

Eric Romang Blog

aka wow on ZATAZ.com

Tag Archives: Exploit Kit

KaiXin Exploit Kit Evolutions

Cool Exploit Kit Remove Support of Java CVE-2012-1723

Gong Da / Gondad Exploit Pack Add Adobe Flash CVE-2012-1535 Support

Gong Da / Gondad Exploit Pack Add Java CVE-2012-5076 support