Another New Exploit Pack

A new exploit pack is being used in the wild. This one was linked to malvertisements that were appearing on popular sites. Here’s one of them:

Here’s the infection chain:

Let’s have a closer look at that second file. At the bottom, we see a 1px-by-1px iframe being created:

After you get redirected, you’ll end up on this webpage. This checks out your available plug-ins.

At the bottom, you’ll see obfuscated Javascript. Several redirectors and exploit packs are using this exact method so maybe there’s some code sharing going on.

After you deobfuscate this, you’ll end up with this:

You can see that it deploys the typical cocktail of Java and PDF exploits. If anyone knows the name of this new pack, please let me know.

Posted on: 12/15/2011