PandaLabs reported that 34% of all malware ever created has appeared in the last ten months of 2010. Between all the malware development, packing and repacking, hackers were somehow able to make new exploit kits.
Here’s the first one which I have very little information on. It may possibly be called “Impact Exploit Kit”. The exploit code is very similar to the code used by SEO Sploit Pack so it is either an upgrade or a spinoff. I’m trying to get my hands on this pack.
Here’s the second one, which is unnamed. Below is a screenshot of the statistics page which shows over 2,850 loads (7.15% efficiency).
This screenshot shows the statistics by operating system.
This kit uses nine exploits (4 PDF, 2 IE, 1 Help, 2 Java) with the Java ROX exploit showing the highest efficiency rating. The exploits selected for this kit look to be the most effective ones from the Phoenix Exploit Kit (PEK) which is probably the best exploit kit out there today.
This kit frequently resides on co.cc domains and appears to be quite popular at the moment.
Here’s the obfuscated exploit code it uses:
There are three sections in the source code. The first part is up at the very top…the ‘host’ variable is assigned a URL which is barraged with a garbage character ($). The second part is a malicious JAR file that gets called. The third part is the remainder of the screen. There’s a bunch of misdirection (bogus variable assignments and comments) then a bunch of Q’s. In between the Q’s is the exploit code so all you need to do is search for the letter “Q” and replace it with “”.
There’s a third exploit kit that I found which I cover in another post.