Phoenix Exploit’s Kit 2.0 is an upgraded version of the Phoenix Toolkit which was initially researched by the M86 Security Labs mid-2009.
The GUI of the admin panel has not changed significantly from the previous version, but in addition to new features and exploits, a new obfuscation technique has been employed.
Figure 1: The login panel of Phoenix Exploit’s Kit
Exploits
The Phoenix Exploit Kit includes exploits for the following vulnerabilities:
Flash exploits
Adobe Flash Integer Overflow in AVM2 – CVE-2009-1869
Adobe Flash Integer Overflow in Flash Player CVE-2007-0071
PDF exploits
Adobe Reader CollectEmailInfo Vulnerability CVE-2007-5659
Adobe Reader Collab GetIcon Vulnerability CVE-2009-0927
Adobe Reader LibTiff Vulnerability CVE-2010-0188
Adobe Reader newPlayer Vulnerability CVE-2009-4324
Adobe Reader util.printf Vulnerability CVE-2008-2992
Internet Explorer Exploits
IE MDAC Vulnerability CVE-2006-0003
IE SnapShot Viewer ActiveX Vulnerability CVE-2008-2463
IE iepeers Vulnerability CVE-2010-0806
Java Exploits
JAVA HsbParser.getSoundBank Vulnerability CVE-2009-3867
Java Development Kit Vulnerability CVE-2008-5353
Administrator panel
Like most exploit kits, the Phoenix Exploit’s Kit provides the administrator with the ability to analyze incoming traffic and see a count of the infected machines. It also enables the user to upload a chosen payload (Trojan) via the admin panel which, once exploited, will be executed on the infected machines.
Figure 2: The exploit statistics organized by exploit name and browser type.Marked JAVA exploits
appears to have become more reliable than IE vulnerabilities.
In order to circumvent recognition by URL filtering services, the Phoenix Exploit Kit provides its owner an option to check whether his domain has been recognized and blacklisted by malware research websites such as:
-
Google Safe Browsing
-
MalwareURL
-
Zeus Tracker
.png)
Figure 5: URL Filtering scan results.
The Phoenix Exploit Kit offers the ability to subscribe to the “Phoenix Triple System” – a paid service allowing customers the option to have the author re-encrypt exploits once the file has been detected by an AV vendor. According to the documentation, the next version of the exploit kit will alert the customer if his domain is listed on one of the URL-filtering websites and, if listed, will offer the ability to re-install the system on a new domain pre-purchased by the client.
The author included the following release notes with the exploit kit which describe the technical aspects along with installation instructions, features included and history changes since version 1.0 (translated from Russian using Google translate):
Figure 6: Phoenix Exploit’s Kit Release notes (translated from Russian)
An additional interesting change planned for the next revision of the exploit kit is the integration of heap spray for FLASH10 directly into the SWF file itself, which would significantly increase the reliability of successful exploitation. This confirms the recent trend that instead of attacks being confined to the browser, an increasing number of new attacks integrate PDF, JAVA and Flash files.
An analysis of the ACH spam campaign
Massive Rise in Malicious Spam
‘Just applied for my own @facebook.com email account’ Phish Spreading
Can’t Believe A Girl Did This Because of Justin Bieber? You Shouldn’t
RapidShare.com – The Phishing Begins