First off, many thanks goes out to Paul for doing all of the legwork on this new discovery!
A new pack has emerged called EgyPack.
The malicious link points to, what looks like a JPEG file (careful, it may still be live):
But it’s hardly an image file:
Here are some shots that show a cleaned-up version of the code:
There were several obfuscation methods used in this code but it was predominately character replacements wrapped in an onion. After peeling one of three layers, you get this. I would say that this is the heart of their decryption routine.
Here’s an example of one portion of the code that gets transformed twice to get to the final code:
The Java exploit appears to be CVE2010-0886 and downloads a DLL file called “jvm.dll”. When you disassemble this file, you will find that this too is a downloader.
It does a GET with the user-agent string of “Egypack/1.0″ and a keep-alive time of 300 then drops a binary file called “egy.exe” to the %appdata% folder. Unfortunately, the site was not working so I can’t confirm its behavior nor what the final malware was.
Here’s a link to a Pastebin of one of the files of the pack: