Unknown Exploit Pack Gets Updated

I tracked this exploit pack back in November. Several months later, the pack re-emerged but seemed to have been updated.

This is what the obfuscated Javascript looked like back then. The top part had this gibberish, the middle section contain a lot of arrays, and at the end, the Javascript code concatenated the parts after doing some XOR'ing. Back then, it used PDF, Java, Real, HCP, and WMV exploits.

Here's what it looks like this time around. It looks familiar.

The middle section contains variables instead of arrays. The bottom portion was the script that converted that middle section to another set of Javascript code.

This new code decrypted the gibberish up at the top. Just paste that portion onto the bottom like so:

Now you can get to see the final code which contains the exploits.

Unfortunately, I wasn't able to grab these other files to see exactly which exploits were being used but since there was a lot of code overlap from the previous version, I'm sure most are the same.

Here's the login screen to the panel.

Anyone know what pack this is?

Posted on: 09/08/2011