Recently we wrote about a crimeware toolkit called “Unique Pack”, which is one of the most popular toolkits ”in the wild” these days. Just like other popular toolkits we reported on in the past, these are highly successful in exploiting end-users PCs when released. However, the effectiveness in exploitation decreases as time passes, since more and more users are patching their PCs. 
Just like operating systems and browser updates, some toolkits get updates as well, allowing them to exploit newer vulnerabilities and offer the cybercriminal more options in orchestrating the attack. This is also the case with “Unique Pack”. 
Recently we’ve found an updated version of the “Unique Pack” toolkit. 
Let’s take a look at the changes in the administration panel: 
 
The new “settings”tab in the panel shows the collection of exploits included in the toolkit. The toolkit provides links to information about each exploit (google.com, Microsoft.com, SecurityFocus, etc.). Moreover, it enables the cybercriminal to change the exploitation order and to enable/disable individual exploits during the attack. In the above screenshot that was taken from a cybercriminal’s server, we see that no exploit was enabled for the Firefox web browser while almost all exploits for IE 7,8 were enabled. Indeed, visiting the malicious site using Firefox wouldn’t trigger any exploit. 
Following is the obfuscation used by the toolkit: 
 
As you can see, it’s a rather simple JavaScript obfuscation merely used to avoid AV signatures. 
The obfuscated code is generated dynamically at the server side according to the user’s browser. 
Below are the different vulnerabilities being exploited by the new “Unique Pack” in order to install malicious software on computers running Internet Explorer 6: 

• AOL SuperBuddy ActiveX Control Code Execution Vulnerability.
• NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow.
• Yahoo! Messenger ywcvwr.dll ActiveX Control Buffer Overflow.
• Yahoo! Messenger ywcupl.dll ActiveX Control Buffer Overflow.
• Microsoft Windows XVoice.dll and Xlisten.dll Buffer Overflow Vulnerability.
• Real Player IERPCtl Remote Code Execution Vulnerability.
• GOM Player GomWebCtrl.GomManager ActiveX RCE Vulnerability.
• Aurigma Facebook Image Uploader ActiveX RCE Vulnerability.
• Real Player rmoc3260.dll ActiveX Control Remote Code Execution Vulnerability.
• CA BrightStor ARCserve Backup ActiveX Remote Buffer Overflow Vulnerability.
• Microsoft Works ActiveX Control Remote Code Execution Vulnerability.
• Ourgame GLWorld GLIEDown2.dll multiple RCE Vulnerabilities.
• Creative Software CTSUEng.ocx ActiveX Control RCE Vulnerability.
• Microsoft Access Snapshot Viewer ActiveX Control Vulnerability.
• Sina DLoader File Download Vulnerability.
• Windows Media Encoder (wmex.dll) ActiveX Vulnerability.
• IE RDS ActiveX Vulnerability.
• IE WMIScriptUtils createObject vulnerability.
• IE WebViewFolderIcon vulnerability.

Indeed – quite an impressive list. Some of these vulnerabilities are rather new, such as the “Snapshot viewer”, while others are old, yet effective. If the client would have used a newer version of Internet Explorer, such as 7 or 8, different vulnerabilities would be exploited, such as MS08-078. 
When using the Opera web browser, “Unique Pack” is trying to exploit the opera.setPreference method, to change the handler of TN3270 protocol, and execute such a URL. The new handler is an executable downloaded by the toolkit and saved in the temporary internet folder by Opera. Due to another weakness of the Opera browser, the attacker can figure out the full path for it and set this path as the protocol handler. This would result in the browser running the executable file. The vulnerability that allows this exploit was fixed in Opera 9.62. 
Apart from exploiting web browsers, “Unique Pack” also tries to exploit both Adobe Acrobat Reader and FoxIt Reader vulnerabilities. Following is part of the PDF file exploiting one of the latest Acrobat Reader vulnerabilities: 
 
Finally, had the attack been successful, a malicious executable file would be pushed and installed on the client machine. 
The VirusTotal report below shows that only 2/40 AV products detected it: 
 
As always, we encourage users to upgrade their OS, browser, PDF reader, and the rest of their software stack with the latest security updates. Stay safe! 
Posted by Moshe Basanchig