New (Unknown) Exploit Kit

A new exploit kit is being used though it doesn’t seem as popular as Incognito, Black Hole, and others. I don’t know the name of it but the malicious Javascript it uses is quite the piece of work.

Here’s the top part of the script. The technique it’s using here is to switch the characters around.

Near the bottom of the script is the second section that uses another technique. This code XORs a bunch of decimals. What’s new here is that it uses a different XOR value for each section.

You have to deobfuscate the bottom part first to be able to decrypt the top portion. If you do this right, you end up with the following code.

Then you add the top part over to this script and you can decrypt the entire code.

The final code uses several exploits to compromise a PC during its drive-by: Java, Acrobat (two versions), and HCP using Real and Windows Media Player.

By the way, I did want to thank the two people who were kind enough to share their kits with me. While the kits weren’t new, they will still provide me several hours of research fun. If there are others who are willing to share (especially if they have Incognito), please send me an email.

This entry was posted in Exploit Packs, Malscript and tagged . Bookmark the permalink.