A few weeks ago, the Phoenix Exploit Kit 2.5 source code was leaked. At the time, it was not really useable, as it required activating by the author of the exploit kit. It contains an activation page that is being used to load all the exploits to the server for every specific customer. As expected, the author of the exploit kit released a new version of the tool, version 2.7.
The changes between the two versions are minor, but still very important as most exploits become inefficient in the very short term, especially with the latest IE vulnerabilities.
The new pack 2.7 contains the following updates:
- JAVA exploit added – Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability – CVE-2010-0840
- Old exploits were removed, the exploit kit currently contains the following exploits:
- Windows Help and Support Center Protocol Handler Vulnerability – CVE-2010-1885
- Integer overflow in the AVM2 abcFile parser in Adobe Flash Player – CVE-2009-1869,
- Integer overflow in Adobe Flash Player 9 – CVE-2007-0071
- IEPeers Remote Code Execution – CVE-2009-0806
- Internet Explorer Recursive CSS Import Vulnerability – CVE-2010-3971
- PDF Exploit – collab. collectEmailInfo – CVE-2007-5659
- PDF Exploit – util.printf – CVE-2008-2992
- PDF Exploit – collab.geticon – CVE-2009-0927
- PDF Exploit – doc.media.newPlayer – CVE-2009-4324
- PDF Exploit – LibTIFF Integer Overflow – CVE-2010-0188
- The obfuscation technique has been changed.
De-compiled class “stomp” – klcteugviqyvfu.jar
The HTML web page loads a malicious JAR file, as described in the screenshot above. The obfuscated code generates a link to the payload using a parameter that is sent from the previous HTML web page.
The screenshot above describes part of the code that is being used to exploit the victim’s machine and execute the payload in higher privilege.
The control panel looks exactly like the older versions:
Once again, we find that cybercriminals use JAVA and PDF exploits, as they have become the most efficient and reliable attack vector.