New Exploit Pack

A new exploit pack is being used in the wild. This one was linked to malvertisements that were appearing on popular sites. Here’s one of them:

Here’s the infection chain:

Let’s have a closer look at that second file. At the bottom, we see a 1px-by-1px iframe being created:

After you get redirected, you’ll end up on this webpage. This checks out your available plug-ins.

At the bottom, you’ll see obfuscated Javascript. Several redirectors and exploit packs are using this exact method so maybe there’s some code sharing going on.

After you deobfuscate this, you’ll end up with this:

You can see that it deploys the typical cocktail of Java and PDF exploits. If anyone knows the name of this new pack, please let me know.

This entry was posted in Exploit Packs, Malscript and tagged , . Bookmark the permalink.

3 Responses to New Exploit Pack

  1. hadden says:

    Seems Blackhole exploit kit ??? Would you please share me related samples(raw, decoded…) ? Thanks!

    Here you go:

  2. Strongly suggest adding a “google+” button for the blog!

  3. Pingback: Actus Sécurité Confirmé 2011 S50 | La Mare du Gof

Leave a Reply