I normally do not post exploit packs, even partial but I am posting it in this case as it appears to be the source of the java files analyzed by InReverse. Read
this for more details and Java analysis.
The other possibility is the Crimepack. Let me know if there are others, I may post them too.
Download Phoenix2.zip as a password protected archive (contact me if you need the password)List of included files
AdgredY.java 11895 416ff21ed3ddb4ce5665a4917964c5ce
all.js 5167 9432b83d52fc325f5bda83d58598e825 -- All listed except newplayer cve-2009-4324
deie.html 15097 a88f45102b57595d6c7b1cf2c2b4b241 --
flash.as 2746 718803346bbbed11e934c63af99c4a9f
ie.html 14939 1c8bd04644942a0f1832844ee4b44e63
newplayer.js 2595 a2344d3a54f26ae863011323a0973ac8 newplayer cve-2009-4324
| Filename | MD5 | File Size | Extension | |
|---|---|---|---|---|
| flash.swf | C643C2B8E901E52C14A8D6CE8096E327 | 1,645 | swf | |
| all.pdf | 66BDB0DC68294890E359E91F1EF18D9E | 2,677 | ||
| allv7.pdf | B948321DE93582951598F3BDDDCC5735 | 2,465 | ||
| collab.pdf | EF68F7B0018EDA2C149EF92EAAA666E2 | 2,012 | CVE-2007-5659 | |
| geticon.pdf | 1ED11F0EEE47135067F36E73FD5E889E | 2,003 | CVE-2009-0927 | |
| libtiff.pdf | E1E581CC0D817A808DC33CEB230F91B4 | 3,514 | CVE-2010-0188 | |
| newplayer.pdf | 37F28E5BE542AD2E32DA19EE5C44967C | 1,975 | CVE-2009-4324 | |
| printf.pdf | AF680ECCA07B3294553F672F78554588 | 1,907 | CVE-2008-2992 | |
| index.js | B07E39D831F8EA3F8BCD84DCC9A60FFF | 14,272 | js | |
| des.jar | 98F5ACDB21E8B8116FE5C7B4BA17D0E9 | 8,539 | jar | |
| ie.html | 30C1A7B87C419A1427932773642FEEE7 | 14,929 | CVE-2009-3867 | html |
| index.html | 9939596B9BA5ECD4EE5FD648171EF01C | 14,462 | html | |
| vistaie7.html | E8888E4EDA75F6CE016A5FBA9BE02FA3 | 14,415 | html | |
| vistan7ie8.html | 6D11908E6CCC01B14ED0097561853F86 | 8,747 | html | |
| vistan7other.html | 3E4B94ED2A6ED5F7FF42165BB165A46B | 13,734 | html | |
| xpie7.html | EDE58120D8C76212E458898B348D2B80 | 14,420 | html | |
| xpie8.html | A18CCEEE89E13B137C77F88688668CED | 8,714 | html | |
| xpother.html | 355A809F8B5BDE1E511C628DD75CD871 | 14,129 | html |
Flash exploits are
CVE-2009-1869
CVE-2007-0071
PDF exploits
CVE-2007-5659
CVE-2009-0927
CVE-2010-0188
CVE-2009-4324
CVE-2008-2992
Internet Explorer Exploits
CVE-2009-0806
Java Exploits
CVE-2009-3867
CVE-2008-5353
Let me know if i missed any
Java exploit GetSoundBank Read inReverse Ratsoul's posts for more information here or on their new blog here
Also, see some malware links with this exploit here
deie.html
MDAC exploit
Flashloader - using
object and embed for different browsers. Read this article for more details http://borodin.livejournal.com/10471.html
Actionscript
IE 2010-0806
Some Virustotal scans
http://www.virustotal.com/analisis/8e830691f67c49c99d18887ce39f59235d6203d9c5a55a327252f385ae89a2a5-1273807103
File des.jar received on 2010.05.14 03:18:23 (UTC)
Result: 26/41 (63.41%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 Trojan-Downloader.Java.OpenStream!IK
AntiVir 8.2.1.242 2010.05.13 EXP/Java.CVE-2009-3867.8861
Antiy-AVL 2.0.3.7 2010.05.13 Exploit/Java.CVE-2009-3867
Authentium 5.2.0.5 2010.05.13 Java/ByteVerify.E
Avast 4.8.1351.0 2010.05.13 Java:Agent-R
Avast5 5.0.332.0 2010.05.13 Java:Agent-R
AVG 9.0.0.787 2010.05.13 Exploit_c.DSO
Comodo 4835 2010.05.14 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.05.14 Exploit.Java.38
F-Prot 4.5.1.85 2010.05.13 Java/ByteVerify.E
F-Secure 9.0.15370.0 2010.05.14 Trojan:W32/Agent.DIYR
Ikarus T3.1.1.84.0 2010.05.14 Trojan-Downloader.Java.OpenStream
Kaspersky 7.0.0.125 2010.05.14 Exploit.Java.Agent.f
McAfee 5.400.0.1158 2010.05.14 Exploit-CVE2009-3867
McAfee-GW-Edition 2010.1 2010.05.14 Exploit-ByteVerify
Microsoft 1.5703 2010.05.13 Exploit:Java/CVE-2009-3867
NOD32 5113 2010.05.13 Java/TrojanDownloader.Agent.NAM
Norman 6.04.12 2010.05.13 JS/Exploit.DD
PCTools 7.0.3.5 2010.05.14 Trojan.Generic
Sophos 4.53.0 2010.05.14 Troj/Clsldr-AE
Sunbelt 6301 2010.05.14 Trojan.Java.Agent.f (v)
Symantec 20101.1.0.89 2010.05.14 Trojan Horse
TrendMicro 9.120.0.1004 2010.05.13 TROJ_CLSLDR.A
TrendMicro-HouseCall 9.120.0.1004 2010.05.14 JAVA_DLAGENT.B
ViRobot 2010.5.13.2314 2010.05.13 JS.EX-CVE-2009-3867.8861
Additional information
File size: 8539 bytes
MD5 : 98f5acdb21e8b8116fe5c7b4ba17d0e9
http://www.virustotal.com/analisis/2a964bfc4580762febe14db3702c2ca01cc0e1cb0a51b92da6641cb7733d21d5-1273806789
File all.pdf received on 2010.05.14 03:13:09 (UTC)
Result: 22/41 (53.66%)
a-squared 4.5.0.50 2010.05.10 Exploit.JS.Pdfka!IK
AntiVir 8.2.1.242 2010.05.13 EXP/Pidief.bzr.1
Avast 4.8.1351.0 2010.05.13 JS:Pdfka-ACB
Avast5 5.0.332.0 2010.05.13 JS:Pdfka-ACB
BitDefender 7.2 2010.05.14 Trojan.Script.430112
ClamAV 0.96.0.3-git 2010.05.14 Exploit.PDF-27440
DrWeb 5.0.2.03300 2010.05.14 Exploit.PDF.821
eTrust-Vet 35.2.7487 2010.05.13 PDF/Pidief.QQ!exploit
F-Secure 9.0.15370.0 2010.05.14 Trojan.Script.430112
GData 21 2010.05.14 Trojan.Script.430112
Ikarus T3.1.1.84.0 2010.05.14 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.05.14 Exploit.JS.Pdfka.bzr
McAfee 5.400.0.1158 2010.05.14 Exploit-PDF.ci
McAfee-GW-Edition 2010.1 2010.05.14 Exploit-PDF.ci
NOD32 5113 2010.05.13 PDF/Exploit.Gen
nProtect 2010-05-13.01 2010.05.13 Exploit.PDF-Payload.Gen
PCTools 7.0.3.5 2010.05.14 Trojan.Pidief
Sophos 4.53.0 2010.05.14 Mal/PDFJs-P
Symantec 20101.1.0.89 2010.05.14 Trojan.Pidief
TrendMicro 9.120.0.1004 2010.05.13 TROJ_PIDIEF.SMIG
TrendMicro-HouseCall 9.120.0.1004 2010.05.14 TROJ_PIDIEF.SMIG
Additional information
File size: 2677 bytes
MD5...: 66bdb0dc68294890e359e91f1ef18d9e
File allv7.pdf received on 2010.05.11 17:59:31 (UTC)
Result: 23/41 (56.10%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 Exploit.JS.Pdfka!IK
AntiVir 8.2.1.236 2010.05.11 EXP/Pidief.bzr.1
Avast 4.8.1351.0 2010.05.11 JS:Pdfka-ACB
Avast5 5.0.332.0 2010.05.11 JS:Pdfka-ACB
BitDefender 7.2 2010.05.11 Trojan.Script.430112
ClamAV 0.96.0.3-git 2010.05.11 Exploit.PDF-22642
Comodo 4824 2010.05.11 TrojWare.JS.Exploit.Pdfka
DrWeb 5.0.2.03300 2010.05.11 Exploit.PDF.821
F-Secure 9.0.15370.0 2010.05.11 Trojan.Script.430112
GData 21 2010.05.11 Trojan.Script.430112
Ikarus T3.1.1.84.0 2010.05.11 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.05.11 Exploit.JS.Pdfka.bzr
McAfee 5.400.0.1158 2010.05.11 Exploit-PDF.ci
McAfee-GW-Edition 2010.1 2010.05.11 Exploit-PDF.ci
NOD32 5106 2010.05.11 PDF/Exploit.Gen
nProtect 2010-05-11.01 2010.05.11 Exploit.PDF-Payload.Gen
PCTools 7.0.3.5 2010.05.11 Trojan.Pidief
Rising 22.47.01.04 2010.05.11 Hack.Exploit.Script.PDF.brz
Sophos 4.53.0 2010.05.11 Mal/PDFJs-P
Symantec 20101.1.0.89 2010.05.11 Trojan.Pidief
TrendMicro 9.120.0.1004 2010.05.11 TROJ_PIDIEF.SMIG
TrendMicro-HouseCall 9.120.0.1004 2010.05.11 TROJ_PIDIEF.SMIG
ViRobot 2010.5.11.2310 2010.05.11 JS.S.EX-Pdfka.2465
Additional information
File size: 2465 bytes
MD5 : b948321de93582951598f3bdddcc5735
File collab.pdf received on 2010.05.11 18:51:29 (UTC)
http://www.virustotal.com/analisis/279853d0a060232834974a687753f37f8be432b05911d48d6bd62314256b6a16-1273603889Result: 23/41 (56.10%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 Exploit.JS.Pdfka!IK
AntiVir 8.2.1.236 2010.05.11 EXP/Pidief.bzr.1
Avast 4.8.1351.0 2010.05.11 JS:Pdfka-ACB
Avast5 5.0.332.0 2010.05.11 JS:Pdfka-ACB
BitDefender 7.2 2010.05.11 Trojan.Script.430112
ClamAV 0.96.0.3-git 2010.05.11 Exploit.PDF-22136
Comodo 4824 2010.05.11 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.05.11 Exploit.PDF.821
F-Secure 9.0.15370.0 2010.05.11 Trojan.Script.430112
GData 21 2010.05.11 Trojan.Script.430112
Ikarus T3.1.1.84.0 2010.05.11 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.05.11 Exploit.JS.Pdfka.bzr
McAfee 5.400.0.1158 2010.05.11 Exploit-PDF.ci
McAfee-GW-Edition 2010.1 2010.05.11 Exploit-PDF.ci
NOD32 5106 2010.05.11 PDF/Exploit.Gen
nProtect 2010-05-11.01 2010.05.11 Exploit.PDF-Payload.Gen
PCTools 7.0.3.5 2010.05.11 Trojan.Pidief
Rising 22.47.01.04 2010.05.11 Hack.Exploit.Script.PDF.arv
Sophos 4.53.0 2010.05.11 Mal/PDFJs-P
Symantec 20101.1.0.89 2010.05.11 Trojan.Pidief
TrendMicro 9.120.0.1004 2010.05.11 TROJ_PIDIEF.SMIG
TrendMicro-HouseCall 9.120.0.1004 2010.05.11 TROJ_PIDIEF.SMIG
ViRobot 2010.5.11.2310 2010.05.11 JS.S.EX-Pdfka.2012.A
Additional information
File size: 2012 bytes
MD5 : ef68f7b0018eda2c149ef92eaaa666e2
http://www.virustotal.com/analisis/4945a23872be7ca1849e84caed03ce7d25f9a3ab96886279337df03922cb7335-1273605310
File geticon.pdf received on 2010.05.11 19:15:10 (UTC)
Result: 22/41 (53.66%)
a-squared 4.5.0.50 2010.05.10 Exploit.JS.Pdfka!IK
AntiVir 8.2.1.236 2010.05.11 EXP/Pidief.bzr.1
Avast 4.8.1351.0 2010.05.11 JS:Pdfka-ACB
Avast5 5.0.332.0 2010.05.11 JS:Pdfka-ACB
BitDefender 7.2 2010.05.11 Trojan.Script.430112
ClamAV 0.96.0.3-git 2010.05.11 Exploit.PDF-22109
Comodo 4824 2010.05.11 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.05.11 Exploit.PDF.821
F-Secure 9.0.15370.0 2010.05.11 Trojan.Script.430112
GData 21 2010.05.11 Trojan.Script.430112
Ikarus T3.1.1.84.0 2010.05.11 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.05.11 Exploit.JS.Pdfka.bzr
McAfee 5.400.0.1158 2010.05.11 Exploit-PDF.ci
McAfee-GW-Edition 2010.1 2010.05.11 Exploit-PDF.ci
NOD32 5106 2010.05.11 PDF/Exploit.Gen
nProtect 2010-05-11.01 2010.05.11 Exploit.PDF-Payload.Gen
PCTools 7.0.3.5 2010.05.11 Trojan.Pidief
Rising 22.47.01.04 2010.05.11 Hack.Exploit.Script.PDF.ari
Sophos 4.53.0 2010.05.11 Mal/PDFJs-P
Symantec 20101.1.0.89 2010.05.11 Trojan.Pidief
TrendMicro 9.120.0.1004 2010.05.11 TROJ_PIDIEF.SMIG
TrendMicro-HouseCall 9.120.0.1004 2010.05.11 TROJ_PIDIEF.SMIG
Additional information
File size: 2003 bytes
MD5 : 1ed11f0eee47135067f36e73fd5e889e
File libtiff.pdf received on 2010.05.11 19:33:53 (UTC)
http://www.virustotal.com/analisis/718084344d2e79d57a95bc1d3d2732b4ec6f6d2fb3cfd6615fa6a58e1872a598-1273606433
Result: 12/41 (29.27%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 Exploit.Win32.Pdfjsc!IK
AntiVir 8.2.1.236 2010.05.11 EXP/Pidief.arx
Comodo 4825 2010.05.11 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.05.11 Exploit.PDF.816
Ikarus T3.1.1.84.0 2010.05.11 Exploit.Win32.Pdfjsc
Kaspersky 7.0.0.125 2010.05.11 Exploit.Win32.Pidief.dck
Microsoft 1.5703 2010.05.11 Exploit:Win32/Pdfjsc.gen!B
PCTools 7.0.3.5 2010.05.11 Trojan.Pidief
Sophos 4.53.0 2010.05.11 Troj/PDFJs-JN
Symantec 20101.1.0.89 2010.05.11 Trojan.Pidief.I
TrendMicro 9.120.0.1004 2010.05.11 TROJ_PIDIEF.AAL
TrendMicro-HouseCall 9.120.0.1004 2010.05.11 TROJ_PIDIEF.AAL
Additional information
File size: 3514 bytes
MD5 : e1e581cc0d817a808dc33ceb230f91b4
http://www.virustotal.com/analisis/b4c45b9c4f4614a0257f25bb092e34314bf23a395a3243876c93d8e5696ab43d-1273610040
File printf.pdf received on 2010.05.11 20:34:00 (UTC)
Result: 22/41 (53.66%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 Exploit.JS.Pdfka!IK
AntiVir 8.2.1.236 2010.05.11 EXP/Pidief.bzr.1
Avast 4.8.1351.0 2010.05.11 JS:Pdfka-ACB
Avast5 5.0.332.0 2010.05.11 JS:Pdfka-ACB
BitDefender 7.2 2010.05.11 Trojan.Script.430112
ClamAV 0.96.0.3-git 2010.05.11 Exploit.PDF-22128
Comodo 4825 2010.05.11 TrojWare.JS.Exploit.Pdfka
DrWeb 5.0.2.03300 2010.05.11 Exploit.PDF.821
F-Secure 9.0.15370.0 2010.05.11 Trojan.Script.430112
GData 21 2010.05.11 Trojan.Script.430112
Ikarus T3.1.1.84.0 2010.05.11 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.05.11 Exploit.JS.Pdfka.bzr
McAfee 5.400.0.1158 2010.05.11 Exploit-PDF.ci
McAfee-GW-Edition 2010.1 2010.05.11 Exploit-PDF.ci
NOD32 5106 2010.05.11 PDF/Exploit.Gen
nProtect 2010-05-11.01 2010.05.11 Exploit.PDF-Payload.Gen
PCTools 7.0.3.5 2010.05.11 Trojan.Pidief
Rising 22.47.01.04 2010.05.11 Hack.Exploit.Script.PDF.arw
Sophos 4.53.0 2010.05.11 Mal/PDFJs-P
Symantec 20101.1.0.89 2010.05.11 Trojan.Pidief
TrendMicro 9.120.0.1004 2010.05.11 TROJ_PIDIEF.SMIG
TrendMicro-HouseCall 9.120.0.1004 2010.05.11 TROJ_PIDIEF.SMIG
Additional information
File size: 1907 bytes
MD5 : af680ecca07b3294553f672f78554588
File ie.html received on 2010.05.14 04:02:19 (UTC)
http://www.virustotal.com/analisis/0a6096bc53b6ec06e77b28ff748783456cb957aa7b1bcfd489ca528d7b2d016b-1273809739Result: 9/41 (21.96%)
AntiVir 8.2.1.242 2010.05.13 JS/Dldr.Agent.14939
Avast 4.8.1351.0 2010.05.13 JS:Downloader-QO
Avast5 5.0.332.0 2010.05.13 JS:Downloader-QO
AVG 9.0.0.787 2010.05.13 Exploit
BitDefender 7.2 2010.05.14 Trojan.Script.430511
F-Secure 9.0.15370.0 2010.05.14 Trojan.Script.430511
GData 21 2010.05.14 Trojan.Script.430511
Kaspersky 7.0.0.125 2010.05.14 Exploit.Win32.Pidief.dbx
nProtect 2010-05-13.01 2010.05.13 Trojan.Script.430511
TrendMicro-HouseCall 9.120.0.1004 2010.05.14 -
Additional information
File size: 14929 bytes
MD5...: 30c1a7b87c419a1427932773642feee7
http://www.virustotal.com/analisis/0495851197d4d5c22b0b0491e70e5a4d03006732038ac05017ab436f7c99fa90-1273812919
File flash.swf received on 2010.05.14 04:55:19 (UTC)
Result: 10/41 (24.4%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 Trojan.Exploit_c!IK
Antiy-AVL 2.0.3.7 2010.05.13 Exploit/SWF.Agent
AVG 9.0.0.787 2010.05.13 Exploit_c.DSP
Comodo 4835 2010.05.14 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.05.14 Exploit.SWF.162
F-Secure 9.0.15370.0 2010.05.14 Trojan:W32/Agent.DIYP
Ikarus T3.1.1.84.0 2010.05.14 Trojan.Exploit_c
Kaspersky 7.0.0.125 2010.05.14 Exploit.SWF.Agent.dn
Norman 6.04.12 2010.05.13 SWF/Exploit.Y
nProtect 2010-05-13.01 2010.05.13 -
Sophos 4.53.0 2010.05.14 Troj/SWFLdr-P
TrendMicro-HouseCall 9.120.0.1004 2010.05.14 -
Additional information
File size: 1645 bytes
MD5...: c643c2b8e901e52c14a8d6ce8096e327
http://www.virustotal.com/analisis/e3582bb79f4265b0d7433c4755b0129410889a62b21f0a45a9ae8e72da22a123-1273814122
File index.js received on 2010.05.14 05:15:22 (UTC)
Result: 16/40 (40%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 Trojan-Downloader.Win32.Small!IK
AntiVir 8.2.1.242 2010.05.13 HTML/Shellcode.Gen
Avast 4.8.1351.0 2010.05.13 JS:ScriptUE-inf
Avast5 5.0.332.0 2010.05.13 JS:ScriptUE-inf
AVG 9.0.0.787 2010.05.13 JS/Downloader.Agent
BitDefender 7.2 2010.05.14 Trojan.Script.229497
Comodo 4836 2010.05.14 UnclassifiedMalware
DF-Secure 9.0.15370.0 2010.05.14 Trojan.Script.229497
GData 21 2010.05.14 Trojan.Script.229497
Ikarus T3.1.1.84.0 2010.05.14 Trojan-Downloader.Win32.Small
McAfee-GW-Edition 2010.1 2010.05.14 Heuristic.BehavesLike.Exploit.JS.CodeExec.EBEB
Microsoft 1.5703 2010.05.13 TrojanDownloader:Win32/Small.gen!C
nProtect 2010-05-13.01 2010.05.13 Trojan.Script.229497
Sophos 4.53.0 2010.05.14 Mal/JSShell-B
TrendMicro-HouseCall 9.120.0.1004 2010.05.14 Expl_ShellCodeSM
VirusBuster 5.0.27.0 2010.05.13 JS.BOFExploit.Gen
Additional information
File size: 14272 bytes
MD5...: b07e39d831f8ea3f8bcd84dcc9a60fff
Hello
ReplyDeleteWhat is the password ?? Please
Hi, i would like the password please. Send it to mongo787@yahoo.com
ReplyDeleteThanks
All - please email me if you need a password. Do not post this in comments. Thanks
ReplyDeletehello,
ReplyDeletecan you post the entire action script if you still have it?
thanks,