Friday, May 14, 2010

Phoenix 2.0 Exploit kit

I normally do not post exploit packs, even partial but I am posting it in this case as it appears to be the source of the java files analyzed by InReverse.  Read this for more details and Java analysis.
The other possibility is the Crimepack. Let me know if there are others, I may post them too.


 Download  Phoenix2.zip as a password protected archive (contact me if you need the password)

   

List of included files


AdgredY.java    11895    416ff21ed3ddb4ce5665a4917964c5ce
all.js    5167    9432b83d52fc325f5bda83d58598e825  -- All listed except newplayer cve-2009-4324
deie.html    15097    a88f45102b57595d6c7b1cf2c2b4b241  --
flash.as    2746    718803346bbbed11e934c63af99c4a9f
ie.html    14939    1c8bd04644942a0f1832844ee4b44e63
newplayer.js    2595    a2344d3a54f26ae863011323a0973ac8
newplayer cve-2009-4324


Filename MD5 File Size   Extension
flash.swfC643C2B8E901E52C14A8D6CE8096E3271,645swf
all.pdf66BDB0DC68294890E359E91F1EF18D9E2,677
pdf
allv7.pdfB948321DE93582951598F3BDDDCC57352,465pdf
collab.pdfEF68F7B0018EDA2C149EF92EAAA666E22,012 CVE-2007-5659 pdf
geticon.pdf1ED11F0EEE47135067F36E73FD5E889E2,003 CVE-2009-0927pdf
libtiff.pdfE1E581CC0D817A808DC33CEB230F91B43,514 CVE-2010-0188pdf
newplayer.pdf37F28E5BE542AD2E32DA19EE5C44967C1,975 CVE-2009-4324pdf
printf.pdfAF680ECCA07B3294553F672F785545881,907 CVE-2008-2992pdf
index.jsB07E39D831F8EA3F8BCD84DCC9A60FFF14,272js
des.jar98F5ACDB21E8B8116FE5C7B4BA17D0E98,539jar
ie.html30C1A7B87C419A1427932773642FEEE714,929 CVE-2009-3867 html
index.html9939596B9BA5ECD4EE5FD648171EF01C14,462html
vistaie7.htmlE8888E4EDA75F6CE016A5FBA9BE02FA314,415html
vistan7ie8.html6D11908E6CCC01B14ED0097561853F868,747html
vistan7other.html3E4B94ED2A6ED5F7FF42165BB165A46B13,734html
xpie7.htmlEDE58120D8C76212E458898B348D2B8014,420html
xpie8.htmlA18CCEEE89E13B137C77F88688668CED8,714html
xpother.html355A809F8B5BDE1E511C628DD75CD87114,129html

Flash exploits are

CVE-2009-1869
CVE-2007-0071

PDF exploits
 CVE-2007-5659
 CVE-2009-0927
 CVE-2010-0188
 CVE-2009-4324
 CVE-2008-2992

Internet Explorer Exploits
CVE-2009-0806

Java Exploits
CVE-2009-3867
CVE-2008-5353

Let me know if i missed any

Java exploit GetSoundBank Read inReverse Ratsoul's posts for more information here or on their new blog here 
Also, see some malware links with this exploit here





deie.html
MDAC exploit

 Flashloader - using object and embed for different browsers. Read this article for more details http://borodin.livejournal.com/10471.html


Actionscript

IE 2010-0806







 
 Some Virustotal scans
http://www.virustotal.com/analisis/8e830691f67c49c99d18887ce39f59235d6203d9c5a55a327252f385ae89a2a5-1273807103
 File des.jar received on 2010.05.14 03:18:23 (UTC)
Result: 26/41 (63.41%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.05.10     Trojan-Downloader.Java.OpenStream!IK
AntiVir     8.2.1.242     2010.05.13     EXP/Java.CVE-2009-3867.8861
Antiy-AVL     2.0.3.7     2010.05.13     Exploit/Java.CVE-2009-3867
Authentium     5.2.0.5     2010.05.13     Java/ByteVerify.E
Avast     4.8.1351.0     2010.05.13     Java:Agent-R
Avast5     5.0.332.0     2010.05.13     Java:Agent-R
AVG     9.0.0.787     2010.05.13     Exploit_c.DSO
Comodo     4835     2010.05.14     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.05.14     Exploit.Java.38
F-Prot     4.5.1.85     2010.05.13     Java/ByteVerify.E
F-Secure     9.0.15370.0     2010.05.14     Trojan:W32/Agent.DIYR
Ikarus     T3.1.1.84.0     2010.05.14     Trojan-Downloader.Java.OpenStream
Kaspersky     7.0.0.125     2010.05.14     Exploit.Java.Agent.f
McAfee     5.400.0.1158     2010.05.14     Exploit-CVE2009-3867
McAfee-GW-Edition     2010.1     2010.05.14     Exploit-ByteVerify
Microsoft     1.5703     2010.05.13     Exploit:Java/CVE-2009-3867
NOD32     5113     2010.05.13     Java/TrojanDownloader.Agent.NAM
Norman     6.04.12     2010.05.13     JS/Exploit.DD
PCTools     7.0.3.5     2010.05.14     Trojan.Generic
Sophos     4.53.0     2010.05.14     Troj/Clsldr-AE
Sunbelt     6301     2010.05.14     Trojan.Java.Agent.f (v)
Symantec     20101.1.0.89     2010.05.14     Trojan Horse
TrendMicro     9.120.0.1004     2010.05.13     TROJ_CLSLDR.A
TrendMicro-HouseCall     9.120.0.1004     2010.05.14     JAVA_DLAGENT.B
ViRobot     2010.5.13.2314     2010.05.13     JS.EX-CVE-2009-3867.8861
Additional information
File size: 8539 bytes
MD5   : 98f5acdb21e8b8116fe5c7b4ba17d0e9



http://www.virustotal.com/analisis/2a964bfc4580762febe14db3702c2ca01cc0e1cb0a51b92da6641cb7733d21d5-1273806789
File all.pdf received on 2010.05.14 03:13:09 (UTC)
Result: 22/41 (53.66%)
a-squared    4.5.0.50    2010.05.10    Exploit.JS.Pdfka!IK
AntiVir    8.2.1.242    2010.05.13    EXP/Pidief.bzr.1
Avast    4.8.1351.0    2010.05.13    JS:Pdfka-ACB
Avast5    5.0.332.0    2010.05.13    JS:Pdfka-ACB
BitDefender    7.2    2010.05.14    Trojan.Script.430112
ClamAV    0.96.0.3-git    2010.05.14    Exploit.PDF-27440
DrWeb    5.0.2.03300    2010.05.14    Exploit.PDF.821
eTrust-Vet    35.2.7487    2010.05.13    PDF/Pidief.QQ!exploit
F-Secure    9.0.15370.0    2010.05.14    Trojan.Script.430112
GData    21    2010.05.14    Trojan.Script.430112
Ikarus    T3.1.1.84.0    2010.05.14    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.05.14    Exploit.JS.Pdfka.bzr
McAfee    5.400.0.1158    2010.05.14    Exploit-PDF.ci
McAfee-GW-Edition    2010.1    2010.05.14    Exploit-PDF.ci
NOD32    5113    2010.05.13    PDF/Exploit.Gen
nProtect    2010-05-13.01    2010.05.13    Exploit.PDF-Payload.Gen
PCTools    7.0.3.5    2010.05.14    Trojan.Pidief
Sophos    4.53.0    2010.05.14    Mal/PDFJs-P
Symantec    20101.1.0.89    2010.05.14    Trojan.Pidief
TrendMicro    9.120.0.1004    2010.05.13    TROJ_PIDIEF.SMIG
TrendMicro-HouseCall    9.120.0.1004    2010.05.14    TROJ_PIDIEF.SMIG
Additional information
File size: 2677 bytes
MD5...: 66bdb0dc68294890e359e91f1ef18d9e




File allv7.pdf received on 2010.05.11 17:59:31 (UTC)
Result: 23/41 (56.10%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.05.10     Exploit.JS.Pdfka!IK
AntiVir     8.2.1.236     2010.05.11     EXP/Pidief.bzr.1
Avast     4.8.1351.0     2010.05.11     JS:Pdfka-ACB
Avast5     5.0.332.0     2010.05.11     JS:Pdfka-ACB
BitDefender     7.2     2010.05.11     Trojan.Script.430112
ClamAV     0.96.0.3-git     2010.05.11     Exploit.PDF-22642
Comodo     4824     2010.05.11     TrojWare.JS.Exploit.Pdfka
DrWeb     5.0.2.03300     2010.05.11     Exploit.PDF.821
F-Secure     9.0.15370.0     2010.05.11     Trojan.Script.430112
GData     21     2010.05.11     Trojan.Script.430112
Ikarus     T3.1.1.84.0     2010.05.11     Exploit.JS.Pdfka
Kaspersky     7.0.0.125     2010.05.11     Exploit.JS.Pdfka.bzr
McAfee     5.400.0.1158     2010.05.11     Exploit-PDF.ci
McAfee-GW-Edition     2010.1     2010.05.11     Exploit-PDF.ci
NOD32     5106     2010.05.11     PDF/Exploit.Gen
nProtect     2010-05-11.01     2010.05.11     Exploit.PDF-Payload.Gen
PCTools     7.0.3.5     2010.05.11     Trojan.Pidief
Rising     22.47.01.04     2010.05.11     Hack.Exploit.Script.PDF.brz
Sophos     4.53.0     2010.05.11     Mal/PDFJs-P
Symantec     20101.1.0.89     2010.05.11     Trojan.Pidief
TrendMicro     9.120.0.1004     2010.05.11     TROJ_PIDIEF.SMIG
TrendMicro-HouseCall     9.120.0.1004     2010.05.11     TROJ_PIDIEF.SMIG
ViRobot     2010.5.11.2310     2010.05.11     JS.S.EX-Pdfka.2465
Additional information
File size: 2465 bytes
MD5   : b948321de93582951598f3bdddcc5735



File collab.pdf received on 2010.05.11 18:51:29 (UTC)
http://www.virustotal.com/analisis/279853d0a060232834974a687753f37f8be432b05911d48d6bd62314256b6a16-1273603889
Result: 23/41 (56.10%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.05.10     Exploit.JS.Pdfka!IK
AntiVir     8.2.1.236     2010.05.11     EXP/Pidief.bzr.1
Avast     4.8.1351.0     2010.05.11     JS:Pdfka-ACB
Avast5     5.0.332.0     2010.05.11     JS:Pdfka-ACB
BitDefender     7.2     2010.05.11     Trojan.Script.430112
ClamAV     0.96.0.3-git     2010.05.11     Exploit.PDF-22136
Comodo     4824     2010.05.11     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.05.11     Exploit.PDF.821
F-Secure     9.0.15370.0     2010.05.11     Trojan.Script.430112
GData     21     2010.05.11     Trojan.Script.430112
Ikarus     T3.1.1.84.0     2010.05.11     Exploit.JS.Pdfka
Kaspersky     7.0.0.125     2010.05.11     Exploit.JS.Pdfka.bzr
McAfee     5.400.0.1158     2010.05.11     Exploit-PDF.ci
McAfee-GW-Edition     2010.1     2010.05.11     Exploit-PDF.ci
NOD32     5106     2010.05.11     PDF/Exploit.Gen
nProtect     2010-05-11.01     2010.05.11     Exploit.PDF-Payload.Gen
PCTools     7.0.3.5     2010.05.11     Trojan.Pidief
Rising     22.47.01.04     2010.05.11     Hack.Exploit.Script.PDF.arv
Sophos     4.53.0     2010.05.11     Mal/PDFJs-P
Symantec     20101.1.0.89     2010.05.11     Trojan.Pidief
TrendMicro     9.120.0.1004     2010.05.11     TROJ_PIDIEF.SMIG
TrendMicro-HouseCall     9.120.0.1004     2010.05.11     TROJ_PIDIEF.SMIG
ViRobot     2010.5.11.2310     2010.05.11     JS.S.EX-Pdfka.2012.A
Additional information
File size: 2012 bytes
MD5   : ef68f7b0018eda2c149ef92eaaa666e2



http://www.virustotal.com/analisis/4945a23872be7ca1849e84caed03ce7d25f9a3ab96886279337df03922cb7335-1273605310
File geticon.pdf received on 2010.05.11 19:15:10 (UTC)
Result: 22/41 (53.66%)
a-squared     4.5.0.50     2010.05.10     Exploit.JS.Pdfka!IK
AntiVir     8.2.1.236     2010.05.11     EXP/Pidief.bzr.1
Avast     4.8.1351.0     2010.05.11     JS:Pdfka-ACB
Avast5     5.0.332.0     2010.05.11     JS:Pdfka-ACB
BitDefender     7.2     2010.05.11     Trojan.Script.430112
ClamAV     0.96.0.3-git     2010.05.11     Exploit.PDF-22109
Comodo     4824     2010.05.11     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.05.11     Exploit.PDF.821
F-Secure     9.0.15370.0     2010.05.11     Trojan.Script.430112
GData     21     2010.05.11     Trojan.Script.430112
Ikarus     T3.1.1.84.0     2010.05.11     Exploit.JS.Pdfka
Kaspersky     7.0.0.125     2010.05.11     Exploit.JS.Pdfka.bzr
McAfee     5.400.0.1158     2010.05.11     Exploit-PDF.ci
McAfee-GW-Edition     2010.1     2010.05.11     Exploit-PDF.ci
NOD32     5106     2010.05.11     PDF/Exploit.Gen
nProtect     2010-05-11.01     2010.05.11     Exploit.PDF-Payload.Gen
PCTools     7.0.3.5     2010.05.11     Trojan.Pidief
Rising     22.47.01.04     2010.05.11     Hack.Exploit.Script.PDF.ari
Sophos     4.53.0     2010.05.11     Mal/PDFJs-P
Symantec     20101.1.0.89     2010.05.11     Trojan.Pidief
TrendMicro     9.120.0.1004     2010.05.11     TROJ_PIDIEF.SMIG
TrendMicro-HouseCall     9.120.0.1004     2010.05.11     TROJ_PIDIEF.SMIG
Additional information
File size: 2003 bytes
MD5   : 1ed11f0eee47135067f36e73fd5e889e



 File libtiff.pdf received on 2010.05.11 19:33:53 (UTC)
http://www.virustotal.com/analisis/718084344d2e79d57a95bc1d3d2732b4ec6f6d2fb3cfd6615fa6a58e1872a598-1273606433
Result: 12/41 (29.27%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.05.10     Exploit.Win32.Pdfjsc!IK
AntiVir     8.2.1.236     2010.05.11     EXP/Pidief.arx
Comodo     4825     2010.05.11     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.05.11     Exploit.PDF.816
Ikarus     T3.1.1.84.0     2010.05.11     Exploit.Win32.Pdfjsc
Kaspersky     7.0.0.125     2010.05.11     Exploit.Win32.Pidief.dck
Microsoft     1.5703     2010.05.11     Exploit:Win32/Pdfjsc.gen!B
PCTools     7.0.3.5     2010.05.11     Trojan.Pidief
Sophos     4.53.0     2010.05.11     Troj/PDFJs-JN
Symantec     20101.1.0.89     2010.05.11     Trojan.Pidief.I
TrendMicro     9.120.0.1004     2010.05.11     TROJ_PIDIEF.AAL
TrendMicro-HouseCall     9.120.0.1004     2010.05.11     TROJ_PIDIEF.AAL
Additional information
File size: 3514 bytes
MD5   : e1e581cc0d817a808dc33ceb230f91b4


http://www.virustotal.com/analisis/b4c45b9c4f4614a0257f25bb092e34314bf23a395a3243876c93d8e5696ab43d-1273610040
 File printf.pdf received on 2010.05.11 20:34:00 (UTC)
Result: 22/41 (53.66%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.05.10     Exploit.JS.Pdfka!IK
AntiVir     8.2.1.236     2010.05.11     EXP/Pidief.bzr.1
Avast     4.8.1351.0     2010.05.11     JS:Pdfka-ACB
Avast5     5.0.332.0     2010.05.11     JS:Pdfka-ACB
BitDefender     7.2     2010.05.11     Trojan.Script.430112
ClamAV     0.96.0.3-git     2010.05.11     Exploit.PDF-22128
Comodo     4825     2010.05.11     TrojWare.JS.Exploit.Pdfka
DrWeb     5.0.2.03300     2010.05.11     Exploit.PDF.821
F-Secure     9.0.15370.0     2010.05.11     Trojan.Script.430112
GData     21     2010.05.11     Trojan.Script.430112
Ikarus     T3.1.1.84.0     2010.05.11     Exploit.JS.Pdfka
Kaspersky     7.0.0.125     2010.05.11     Exploit.JS.Pdfka.bzr
McAfee     5.400.0.1158     2010.05.11     Exploit-PDF.ci
McAfee-GW-Edition     2010.1     2010.05.11     Exploit-PDF.ci
NOD32     5106     2010.05.11     PDF/Exploit.Gen
nProtect     2010-05-11.01     2010.05.11     Exploit.PDF-Payload.Gen
PCTools     7.0.3.5     2010.05.11     Trojan.Pidief
Rising     22.47.01.04     2010.05.11     Hack.Exploit.Script.PDF.arw
Sophos     4.53.0     2010.05.11     Mal/PDFJs-P
Symantec     20101.1.0.89     2010.05.11     Trojan.Pidief
TrendMicro     9.120.0.1004     2010.05.11     TROJ_PIDIEF.SMIG
TrendMicro-HouseCall     9.120.0.1004     2010.05.11     TROJ_PIDIEF.SMIG
Additional information
File size: 1907 bytes
MD5   : af680ecca07b3294553f672f78554588


 File ie.html received on 2010.05.14 04:02:19 (UTC)
http://www.virustotal.com/analisis/0a6096bc53b6ec06e77b28ff748783456cb957aa7b1bcfd489ca528d7b2d016b-1273809739
Result: 9/41 (21.96%)
AntiVir    8.2.1.242    2010.05.13    JS/Dldr.Agent.14939
Avast    4.8.1351.0    2010.05.13    JS:Downloader-QO
Avast5    5.0.332.0    2010.05.13    JS:Downloader-QO
AVG    9.0.0.787    2010.05.13    Exploit
BitDefender    7.2    2010.05.14    Trojan.Script.430511
F-Secure    9.0.15370.0    2010.05.14    Trojan.Script.430511
GData    21    2010.05.14    Trojan.Script.430511
Kaspersky    7.0.0.125    2010.05.14    Exploit.Win32.Pidief.dbx
nProtect    2010-05-13.01    2010.05.13    Trojan.Script.430511
TrendMicro-HouseCall    9.120.0.1004    2010.05.14    -
Additional information
File size: 14929 bytes
MD5...: 30c1a7b87c419a1427932773642feee7


http://www.virustotal.com/analisis/0495851197d4d5c22b0b0491e70e5a4d03006732038ac05017ab436f7c99fa90-1273812919
 File flash.swf received on 2010.05.14 04:55:19 (UTC)
Result: 10/41 (24.4%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.05.10    Trojan.Exploit_c!IK
Antiy-AVL    2.0.3.7    2010.05.13    Exploit/SWF.Agent
AVG    9.0.0.787    2010.05.13    Exploit_c.DSP
Comodo    4835    2010.05.14    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.05.14    Exploit.SWF.162
F-Secure    9.0.15370.0    2010.05.14    Trojan:W32/Agent.DIYP
Ikarus    T3.1.1.84.0    2010.05.14    Trojan.Exploit_c
Kaspersky    7.0.0.125    2010.05.14    Exploit.SWF.Agent.dn
Norman    6.04.12    2010.05.13    SWF/Exploit.Y
nProtect    2010-05-13.01    2010.05.13    -
Sophos    4.53.0    2010.05.14    Troj/SWFLdr-P
TrendMicro-HouseCall    9.120.0.1004    2010.05.14    -
Additional information
File size: 1645 bytes
MD5...: c643c2b8e901e52c14a8d6ce8096e327



http://www.virustotal.com/analisis/e3582bb79f4265b0d7433c4755b0129410889a62b21f0a45a9ae8e72da22a123-1273814122
File index.js received on 2010.05.14 05:15:22 (UTC)
Result: 16/40 (40%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.05.10    Trojan-Downloader.Win32.Small!IK
AntiVir    8.2.1.242    2010.05.13    HTML/Shellcode.Gen
Avast    4.8.1351.0    2010.05.13    JS:ScriptUE-inf
Avast5    5.0.332.0    2010.05.13    JS:ScriptUE-inf
AVG    9.0.0.787    2010.05.13    JS/Downloader.Agent
BitDefender    7.2    2010.05.14    Trojan.Script.229497
Comodo    4836    2010.05.14    UnclassifiedMalware
DF-Secure    9.0.15370.0    2010.05.14    Trojan.Script.229497
GData    21    2010.05.14    Trojan.Script.229497
Ikarus    T3.1.1.84.0    2010.05.14    Trojan-Downloader.Win32.Small
McAfee-GW-Edition    2010.1    2010.05.14    Heuristic.BehavesLike.Exploit.JS.CodeExec.EBEB
Microsoft    1.5703    2010.05.13    TrojanDownloader:Win32/Small.gen!C
nProtect    2010-05-13.01    2010.05.13    Trojan.Script.229497
Sophos    4.53.0    2010.05.14    Mal/JSShell-B
TrendMicro-HouseCall    9.120.0.1004    2010.05.14    Expl_ShellCodeSM
VirusBuster    5.0.27.0    2010.05.13    JS.BOFExploit.Gen
Additional information
File size: 14272 bytes
MD5...: b07e39d831f8ea3f8bcd84dcc9a60fff

4 comments:

  1. Hello

    What is the password ?? Please

    ReplyDelete
  2. Hi, i would like the password please. Send it to mongo787@yahoo.com

    Thanks

    ReplyDelete
  3. All - please email me if you need a password. Do not post this in comments. Thanks

    ReplyDelete
  4. hello,

    can you post the entire action script if you still have it?

    thanks,

    ReplyDelete