ScriptKiddieSec broke the news about a new exploit pack called “Best Pack”. Rumor has it that this is the successor of Dragon Pack. I still can’t find the original Dragon Pack so if there’s anyone willing to share, please send it to me!
You can see at the top of the page that it calls two external JS files. The “pda.js” detects browser plug-ins. The “foo.js” file uses object oriented programming to execute the malicious code.
One line of the code was particularly interesting which I never saw used before (note the use of the plus-sign at the beginning):
If I remove the plus-sign, the script doesn’t work! After doing some research, I found this article which describes this new calling method instead of doing it the regular way like so:
or just this:
In this article, there was a sample script and many of its components were found in this exploit pack’s code.
Anyway back to the exploit script…
After you decrypt the script, you will end up with this:
There were nine major functions that would execute the various exploits. These functions are called up in reverse. From what I could make out, these are the exploits being used:
- CVE-2011-0611 (Flash 10)
- CVE-2010-0188 (LibTiff)
- CVE-2010-0842 (Java Midi)
- CVE-2010-0840 (Java Trust)
- CVE-2010-0886 (Java SMB)
- CVE-2010-3552 (Java Skylined
- CVE-2008-2463 (IE Snapshot
- CVE-2006-0003 (IE MDAC)
Here’s a screenshot of the panel (thanks again ScriptKiddieSec):
This exploit pack appears to be offered as a rental service for $25 per day.