Home   Blog   Twitter   Database  

Cisco wipes its memory from susceptible-to-Row Hammer list

Make sure you use only original spares …

Cisco has worked through data centre and switch products that may have been vulnerable to the Row Hammer vulnerability, and decided there's nothing with the bridge brand on the front that's subject to the bug.…

Posted: 30 Mar 2015 | 5:58 pm

Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority

Recently, we’ve come across an interesting spam campaign aimed at French users. The campaign itself uses a well-crafted lure that is likely to catch the attention of its would-be victims. In addition, the malware used – the GootKit backdoor – contains several unusual technical characteristics. Both of these highlight how this campaign was quite well thought-out on the part of the attackers.

Spam: Using the French Ministry of Justice

This campaign starts with email in French that uses varying subject lines:

The email’s text reads as follows:

Selon la décision du tribunal n° 184, afin de recouvrir les sommes dues auprès du débiteur, et en vertu des procédures d’exécution n° 135-01, la saisie de votre propriété a été prononcée.

Vous pouvez obtenir une copie de cette décision auprès du greffe du tribunal.

Une copie du jugement se trouve dans le fichier ci-joint.

This content can be roughly translated as:

According to the court decision No. 184, to cover the amounts due from the debtor, and under enforcement proceedings No. 135-01, seizure of your property has been pronounced.

You can obtain a copy of the decision to the court registry.

A copy of the judgment is in the attached file.

The email contains a Microsoft Word document (alternately named copy du jugement.doc or paiment.doc) which the user is asked to open. This file has the SHA1 hash of 9b7cf1b6255a7dc26b346fdcccbfc4755db020bf.

Once opened, this document downloads and opens a decoy image from the file hosting site savepic.su (which is displayed below). It also contains a macro which downloads and runs a backdoor.

Figure 1. Decoy image shown when opening the Microsoft Office document

The image is a reproduction of a letter from the French Ministry of Justice. It is a letter typically sent to individuals stating that the Ministry cannot assist with cases that are already before courts. This letter could have been obtained from a compromised system or email inbox, or by an accomplice working on behalf of the attackers. (References to the individual who originally received this letter were already blurred when downloaded.)

It’s worth noting that the text used in the email contained no typos or grammar mistakes. This is unusual, as spammed messaged frequently included such mistakes (whatever language they use). This suggests that a French speaker, or someone well-versed in French was responsible for writing the above text. Combined with the authentic decoy image, it’s not difficult to see how a French user would not instantly realize he had been a victim of spam.

Size and scope of campaign

Over a two-day period in the middle of March, we estimate that the images were downloaded and viewed more than 1,700 times. Based on the email addresses, both corporate and home users were targeted by this threat. We are unaware of any public or private data breaches that contained the list of recipients,  which suggests that the addresses were gathered from various online sources.

We also found other spam campaigns that used the same malware families for their malware droppers and payloads. Other countries, such as Italy, are now being targeted as well. For instance, we noted a sample email with an attachment named documente copy.doc, which had the following subject names:

These malware samples consistently used images uploaded to savepic.su. This made it easy to count the number of times each picture was downloaded. We found that each image was viewed between 1,700 and 10,000 times.

Backdoor payload

After the user opens the malicious document and executes the embedded macro, it then downloads and executes the dropper (SHA1 hash: f9772fcfbcaac9c4873989a1759a5c654eec440e). First, it first creates an Application Compatibility Database with an .SDB extension containing its own patch code, which is installed via the sdbinst command. Explorer.exe is then started with the command-line parameter issdb. The patch code is then injected by shim and then executed.

The exact method used here is unusual, and was first described in a research paper titled Persist It: Using and Abusing Microsoft’s Fix It Patches published by Jon Erickson at Black Hat Asia 2014. The paper described how developers could create an .SDB file that modifies or changes its behavior during its execution. We have seen how this particular method sideloads .DLLs, but this is the first time it has been used to patch a loader.

Figure 2. SDB overview via sdb-explorer

This patch is about 6 kilobytes in size, and patches memory at 5 different memory locations within kernel32.dll in order to run its patched code on the fly. This technique is used not only to patch explorer.exe, but other processes as well.

The patch code will detect the operating system version in order to get the appropriate version of GootKit (as both 32- and 64-bit versions are available.) They can be downloaded from two distinct URLs:

It’s worth noting that the download server uses HTTPS. To do this, it uses a self-signed certificate that identifies the site as My Company Ltd, while the real file names of the downloaded files are node32.dll.rk or node64.dll.rk, respectively.

Figure 3. HTTP headers of download server

Once the .DLL file is downloaded and loaded, the malware is ready to perform its routines and it now communicates to its command-and-control (C&C) server located at hxxps://VersatileGreenwood[dot]net:80/200.

Figure 4. HTTP headers of C&C server

Two things about the C&C server are apparent. While it has a different URL, it has the same IP address as the download server. Also, the HTTP reply leaks some information about the server: the X-Powered-By: Express header indicates it is powered by the Express web framework for the Node.js platform.

Adding a Fake Certificate Authority

One of GootKit’s abilities is to monitor network traffic, even when encrypted. How does it do this? In a similar manner to the recent Superfish incident: it adds a fake root certificate authority to the system. However, it does this in an unusual way.

GootKit essentially takes an existing root certificate on the system and adds a duplicate certificate (of its own creation) with the same name. However, upon closer examination, we noted two key differences: the fake certificate expires in 2020, and its RSA key length is only 1024 bits.

Figure 5. Fake certificate – 1024-bit key on the left, private key on the right

GootKit uses the fake certificate to perform man-in-the-middle (MITM) attacks against any HTTPS traffic. Because the fake certificate uses the same name as a randomly chosen legitimate certificate already present on the system, it is very hard to detect this problem.

Remote Access Capabilities

While the remaining capabilities of GootKit are in line with its known features, it does seem to have added one new feature: the command RunVNC. This suggests it can now make use of the VNC protocol to give an external user (presumably the attacker) direct access to the victim’s machine.

Figure 6. List of available functions

Additional payloads

We monitored the dropper to see if it was used to spread threats other than GootKit. We found that the malware also drops and also spreads CryptoWall and online banking malware.


This entire campaign was quite well thought out, with one exception. The social engineering used in the email was a cut above most. Gootkit appears to have picked up some fairly interesting and advanced behavior. However, requiring that macros be turned on for the user to be affected is very much the sign of an amateur. The mix is an odd one, to say the least.

Whatever the case, these attacks are still ongoing. We expect these to continue and victimize more users. It is also likely that future attacks will remove the need for macros to be enabled by default.

Users are protected from this threat via Trend Micro™ Security software, which safeguards against malware, phishing, and other Internet threats. Businesses are also protected with Endpoint Security in Trend Micro™ Smart Protection Suite as it offers multiple layers of protection.

Indicators of compromise

SHA1 hash Detection Name Notes C&C server(s)
9b7cf1b6255a7dc26b346fdcccbfc4755db020bf W2KM_EMDROP.AA GootKit final payload
19ff788685ce9c8ec48848dfc4ef56abe99d657b W2KM_DROPR.ED GootKit final payload
fb2ed685fc58077a7849eb4b000e2cf320cf5181 W2KM_BARTALEX.CE GootKit final payload
4d56c9b7e40e0c0916e5f1468e650f66a4ccee87 W2KM_DROPR.ED GootKit final payload
f9772fcfbcaac9c4873989a1759a5c654eec440e BKDR_GOOTKIT.D GootKit repvisit.com
4095c19435cad4aed7490e2fb59c538b1885407a BKDR_GOOTKIT.D GootKit repvisit.com
2a84a60e7596de95940834779ce49a5d598800d0 W2KM_BARTALEX.CE CryptoWall Final payload
24aeb8369a24c5cfd6a9c9bfef1d793ae80fd854 W2KM_BARTALEX.CE CryptoWall Final payload
82d644bed4fdcc9953c935b4e246bdb410fbfa32 TROJ_CRYPWALL.L CryptoWall
2a79d6be983dc7b4145bbb67426f1849ae2976fa TROJ_CRYPWALL.L CryptoWall

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority

Posted: 30 Mar 2015 | 5:20 pm

DARPA's plan to make software security "the domain of machines"

Bugs like Heartbleed and Shellshock can sit unobserved in critically important software for years. The answer, according to DARPA, is intelligent software that fixes buggy programs while we sleep. Is it time to welcome our new robot guardians?

Posted: 30 Mar 2015 | 4:04 pm

CanSecWest 2015: everything is hackable

Last week, we had the privilege to participate in and present at the 15th edition of CanSecWest in beautiful Vancouver, BC, along with its famous accompaniment, the ever famous Pwn2Own competition. Yes, once again all major browsers were hacked, but they were not alone! BIOS and UEFI, 4G modems, fingerprints, credentials, virtual machines, and operating systems were among the victim systems successfully hacked by our fellow presenters.

The event gathers a very technical audience with a shared interest in the most recent attacks and the presenters delivered with a variety of demos that showcased their intended vulnerabilities beautifully and thus reinforced the conclusion that digital voodoo can turn obscure and seemingly innocuous vulnerabilities into mind-numbingly cunning attacks.


One of the most discussed presentations, and certainly one of our favorites, showcased the power of BIOS and UEFI hacking: two guys, Corey Kallenberg and Xeno Kovah of Legbacore, armed with $2,000 and 4 weeks of hard work were able to show how a long list of vendor BIOSes were not only vulnerable but could successfully be loaded with LightEater, an SMM implant capable of pilfering sensitive information from Tails OS and even exfiltrating that information in such a way as to bypass the OS entirely. We clearly agree with their conclusion, it´s time to start taking a harder look at firmware!


Firmware insecurity: absence of evidence is not evidence of absence

One of the very possible attack is the well-known 'evil maid' or the 'border guard' approach: someone with physical access to your computer can just plug a small device (see below) and successfully reflash your system's BIOS, rewriting it with malicious code, without so much as booting up the system.


Press a button and in a few seconds the handy green light will indicate the BIOS is p0wned

Another very interesting presentation by Jan "starbug" Krissler showed how high resolution photos could bypass biometric authentication. Pictures acquired through high-resolution cameras from a safe distance amounted to the successful theft of fingerprints, faces, and irises used by current biometric systems for authentication. The distance can even be extended through the use of infrared imagery! We spent the talk imagining the breach possibilities as  an increasing number of ATMs  nowadays rely on biometric input.


Please authenticate access to your bank account using a password you can never change: your fingerprint

We also saw presentations on MacOS DLL (dylib) hijacking, userland exploits on iOS 8, attacks using Windows PowerShell, and even the installation of a bootkit in a 4G modem by simply sending an SMS! All sandwiched between explanations of the work of the ever fascinating Google Project Zero Team. In one of these, Chris Evans walked the audience through how a 'simple' crash caused by a call with a negative length became an exploit on Adobe Flash Player.

Our own presentation was a walkthrough of the misuse of whitelisted tools to further all kinds of attacks, from APTs and Targeted attacks to banking trojans and ransomware. This ongoing project is intended to highlight the faulty foundations of the whitelisting approach to security and how whitelisting alone simply won't protect you, from advanced and intermediary attackers alike! Stay tuned for a post on our findings.

In the end, we expanded our view as to the true breadth of vulnerable software and hardware. on which we depend daily. Security is a truly elusive state in an ecosystem composed of interwoven, dependent systems, each responding to the diverging priorities of a developer, an administrator, a user, and, of course, an attacker as well. The role of the security researcher that lives and breathes attack vectors and obscure vulnerabilities in search of the right digital voodoo has never been more important. And we can't help but echo the sentiments of Dragos Ruiu and our own Eugene Kaspersky in thanking CanSecWest for bringing all these researchers under one roof and one banner to share that digital voodoo and successfully stave off the balkanization of our industry just a while longer.

Posted: 27 Mar 2015 | 6:48 am

An Overview of Exploit Packs (Update 24) Mar 2015

Update March 20, 2015

Added CVE-2015-0336

Reference table : Exploit References 2014-2015

Update February 19, 2015

Added Hanjuan Exploit kit and CVE-2015-3013 for Angler 

Update January 24, 2015 

Added CVE-2015-3010, CVE-2015-3011 for Agler and a few reference articles. 
If you notice any errors, or some CVE that need to be removed (were retired by the pack authors), please let me know. Thank you very much!

Update December 12, 2014

Update Jan 8, 2014

 This is version 20 of the exploit pack table - see the added exploit packs and vulnerabilities listed below.

                                             Exploit Pack Table Update 20                                           
  Click to view or download from Google Apps

I want to give special thanks to Kafeine  L0NGC47,  Fibon and  Curt Shaffer for their help and update they made.  Note the new Yara rules sheet / tab for yara rules for exploit kit.
I also want to thank Kahu securityKafeineMalforsec and all security companies listed in References for their research.

If you wish to be a contributor (be able to update/change the exploits or add yara rules), please contact me :)
If you have additions or corrections, please email, leave post comments, or tweet (@snowfl0w) < thank you!

The Wild Wild West image was created by Kahu Security  - It shows current and retired (retiring) kits.

List of changed kits
Gong Da / GonDad Redkit 2.2 x2o (Redkit Light)Fiesta (=Neosploit)  Cool  Styxy DotkaChef
CVE-2012-1889CVE-2013-2460CVE-2013-0634 CVE-2013-1493
CVE-2012-4681CVE-2013-2551 CVE-2013-2423

Angler FlashPack = SafePack White Lotus Magnitude (Popads)Nuclear 3.x Sweet Orange 
CVE-2013-2551 CVE-2013-2551CVE-2013-0634CVE-2013-0422CVE-2013-2551
CVE-2013-2471 ??CVE-2013-2471CVE-2013-2460

CK HiManNeutrino  Blackhole (last)Grandsoft  Private EK
CVE-2011-3544CVE-2010-0188CVE-2013-0431CVE-2013-0422CVE-2010-0188 CVE-2006-0003
CVE-2012-4792*CVE-2013-2465CVE-2013-2465*and + all or someCVE-2013-2423CVE-2013-1347
CVE-2013-0634* switch 2463*<>2465*from the previousCVE-2013-2423
CVE-2013-3897Possibly + exploitsversionCVE-2013-2460
* removedfrom the previous

Sakura 1.x LightsOutGlazunov Rawin Flimkit  Cool EK (Kore-sh)Kore (formely Sibhost) 
and + all or someCVE-2013-1690CVE-2013-2423CVE-2013-2471CVE-2013-2463
from the previous

Styx 4.0Cool Topic EK Nice EK
CVE-2013-2423and + all or some
CVE-2013-2463from the previous
Social Eng


The Explot Pack Table has been updated and you can view it here.

Exploit Pack Table Update 19.1  - View or Download from Google Apps

If you keep track of exploit packs and can/wish  to contribute and be able to make changes, please contact me (see email in my profile)
I want to thank L0NGC47, Fibon, and Kafeine,  Francois Paget, Eric Romang, and other researchers who sent information for their help.

Update April 28, 2013 - added CVE-2013-2423 (Released April 17, 2013) to several packs. 
Now the following packs serve the latest Java exploit (update your Java!)

  1. Styx
  2. Sweet Orange
  3. Neutrino
  4. Sakura
  5. Whitehole
  6. Cool
  7. Safe Pack
  8. Crime Boss
  9. CritX

Other changes
  1. Whitehole
  2. Redkit
  3. Nuclear
  4. Sakura
  5. Cool Pack
  6. Blackhole
  7. Gong Da
  1. KaiXin
  2. Sibhost
  3. Popads 
  4. Alpha Pack
  5. Safe Pack
  6. Serenity
  7. SPL Pack

    There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits

March 2013
The Explot Pack Table, which has been just updated, has migrated to Google Apps - the link is below. The new format will allow easier viewing and access for those who volunteered their time to keep it up to date.

In particular, I want to thank
L0NGC47, Fibon, and Kafeine  for their help.

There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits
The updates include
  1. Neutrino  - new
  2. Cool Pack - update
  3. Sweet Orange - update
  4. SofosFO aka Stamp EK - new
  5. Styx 2.0 - new
  6. Impact - new
  7. CritXPack - new
  8. Gong Da  - update
  9. Redkit - update
  10. Whitehole - new
  11. Red Dot  - new

The long overdue Exploit pack table Update 17 is finally here. It got a colorful facelift and has newer packs (Dec. 2011-today) on a separate sheet for easier reading.
Updates / new entries for the following 13 packs have been added (see exploit listing below)

  1. Redkit 
  2. Neo Sploit
  3. Cool Pack
  4. Black hole 2.0
  5. Black hole 1.2.5
  6. Private no name
  7. Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
  8. Nuclear 2.1  (Update to 2.0 - actual v. # is unknown)
  9. CrimeBoss
  10. Grandsoft
  11. Sweet Orange 1.1 Update to 1.0 actual v. # is unknown)
  12. Sweet Orange 1.0
  13. Phoenix  3.1.15
  14. NucSoft
  15. Sakura 1.1 (Update to 1.0  actual v. # is unknown)
  16. AssocAID (unconfirmed)  

The full table in xls format - Version 17 can be downloaded from here.  

Exploit lists for the added/updated packs

AssocAID (unconfirmed)
Unknown CVE


Neo Sploit


Black hole 2.0
CVE-2012-4969 promised

Black hole 1.2.5
CVE-2007-5659 /2008-0655

Private no name

Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)

Nuclear 2.1 (Update to 2.0 - actual v. # is unknown)

Java Signed Applet


Sweet Orange 1.1

Sweet Orange 1.0

Phoenix  3.1.15
CVE: 2010-0248
CVE: 2011-2371
Firefox social
CVE: 2012-0500


Sakura 1.1

Version 16. April 2, 2012

Thanks to Kahu security
for Wild Wild West graphic 

The full table in xls format - Version 16 can be downloaded from here. 



1. Blackhole Exploit Kit 1.2.3
  1. CVE-2011-0559 - Flash memory corruption via F-Secure
  2. CVE-2012-0507 - Java Atomic via Krebs on Security
  3. CVE-2011-3544 - Java Rhino  via Krebs on Security
2. Eleonore Exploit Kit 1.8.91 and above- via Kahu Security
  1. CVE-2012-0507 - Java Atomic- after 1.8.91was released
  2. CVE-2011-3544 - Java Rhino
  3. CVE-2011-3521 - Java Upd.27  see Timo HirvonenContagio, Kahu Security and Michael 'mihi' Schierl 
  4. CVE-2011-2462 - Adobe PDF U3D
Also includes
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?
3. Incognito Exploit Pack v.2 and above 
there are rumors that Incognito development stopped after v.2 in 2011 and it is a different pack now. If you know, please send links or files.

Added after v.2 was released:
  1. CVE-2012-0507 - Java Atomic
See V.2 analysis via StopMalvertizing

4. Phoenix Exploit Kit v3.1 - via Malware Don't Need Coffee
  1. CVE-2012-0507 -  Java Atomic
  2. CVE-2011-3544 -  Java Rhino + Java TC (in one file)

5. Nuclear Pack v.2 - via TrustWave Spiderlabs

  1. CVE-2011-3544 Oracle Java Rhino
  2. CVE-2010-0840 JRE Trusted Method Chaining
  3. CVE-2010-0188 Acrobat Reader  – LibTIFF
  4. CVE-2006-0003 MDAC
6. Sakura Exploit Pack > v.1 via DaMaGeLaB

  1. CVE-2011-3544 - Java Rhino (It was in Exploitpack table v15, listing it to show all packs with this exploit)

7. Chinese Zhi Zhu Pack via Kahu Security and Francois Paget (McAfee)
  1. CVE-2012-0003 -  WMP MIDI 
  2. CVE-2011-1255 - IE Time Element Memory Corruption
  3. CVE-2011-2140 - Flash 10.3.183.x
  4. CVE-2011-2110 - Flash 10.3.181.x 
  5. CVE-2010-0806 - IEPeers

8. Gong Da Pack via Kahu Security 
  1. CVE-2011-2140  - Flash 10.3.183.x
  2. CVE-2012-0003 -  WMP MIDI  
  3. CVE-2011-3544 - Java Rhino 
9. Dragon Pack - via DaMaGeLab  December 2010 - it is old, listing for curiosity sake

  1. CVE-2010-0886 - Java SMB
  2. CVE-2010-0840 - JRE Trusted Method Chaining
  3. CVE-2008-2463 - Snapshot
  4. CVE-2010-0806 - IEPeers
  5. CVE-2007-5659/2008-0655 - Collab.collectEmailInfo
  6. CVE-2008-2992 - util.printf
  7. CVE-2009-0927 - getIco
  8. CVE-2009-4324 - newPlayer

Version 15. January 28, 2012

Additions - with many thanks to Kahu Security

 Hierarchy Exploit Pack

Siberia Private

Techno XPack

"Yang Pack"

Version 14. January 19, 2012

Version 14 Exploit Pack table additions:

Credits for the excellent Wild Wild West (October 2011 edition) go to kahusecurity.com

With many thanks to  XyliBox (Xylitol - Steven),  Malware Intelligence blog,  and xakepy.cc for the information:

  1. Blackhole 1.2.1  (Java Rhino added, weaker Java exploits removed)
  2. Blackhole 1.2.1 (Java Skyline added)
  3. Sakura Exploit Pack 1.0  (new kid on the block, private pack)
  4. Phoenix 2.8. mini (condensed version of 2.7)
  5. Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)
If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .

The full table in xls format - Version 14 can be downloaded from here. 

The exploit pack table in XLSX format
The exploit pack table in csv format 

P.S. There are always corrections and additions thanks to your feedback after the document release, come back in a day or two to check in case v.15 is out.

Version 13. Aug 20, 2011

Kahusecurity issued an updated version of their Wild Wild West graphic that will help you learn Who is Who in the world of exploit packs. You can view the full version of their post in the link above.

Version 13 exploit pack table additions:
  1. Bleeding Life 3.0
  2. Merry Christmas Pack (many thanks to kahusecurity.com)+
  3. Best Pack (many thanks to kahusecurity.com)
  4. Sava Pack (many thanks to kahusecurity.com)
  5. LinuQ 
  6. Eleonore 1.6.5
  7. Zero Pack
  8. Salo Pack (incomplete but it is also old)

List of packs in the table in alphabetical order
  1. Best Pack
  2. Blackhole Exploit 1.0
  3. Blackhole Exploit 1.1
  4. Bleeding Life 2.0
  5. Bleeding Life 3.0
  6. Bomba
  7. CRIMEPACK 2.2.1
  8. CRIMEPACK 2.2.8
  9. CRIMEPACK 3.0
  10. CRIMEPACK 3.1.3
  11. Dloader
  12. EL Fiiesta
  13. Eleonore 1.3.2
  14. Eleonore 1.4.1
  15. Eleonore 1.4.4 Moded
  16. Eleonore 1.6.3a
  17. Eleonore 1.6.4
  18. Eleonore 1.6.5
  19. Fragus 1
  20. Icepack
  21. Impassioned Framework 1.0
  22. Incognito
  23. iPack
  24. JustExploit
  25. Katrin
  26. Merry Christmas Pack
  27. Liberty  1.0.7
  28. Liberty 2.1.0*
  29. LinuQ pack
  30. Lupit
  31. Mpack
  32. Mushroom/unknown
  33. Open Source Exploit (Metapack)
  34. Papka
  35. Phoenix  2.0 
  36. Phoenix 2.1
  37. Phoenix 2.2
  38. Phoenix 2.3
  39. Phoenix 2.4
  40. Phoenix 2.5
  41. Phoenix 2.7
  42. Robopak
  43. Salo pack
  44. Sava Pack
  45. SEO Sploit pack
  46. Siberia
  47. T-Iframer
  48. Unique Pack Sploit 2.1
  49. Webattack
  50. Yes Exploit 3.0RC
  51. Zero Pack
  52. Zombie Infection kit
  53. Zopack

Bleeding Life 3.0
New Version Ad is here 

Merry Christmas Pack
read analysis at
Best Pack
read analysis at 
Sava Pack
read analysis at
Eleonore 1.6.5 
[+] CVE-2011-0611
[+] CVE-2011-0559
[+] CVE-2010-4452
[-] CVE-2010-0886
Salo Pack
Old (2009), added just for
the collection

Zero Pack
62 exploits from various packs (mostly Open Source pack)
LinuQ pack
Designed to compromise linux servers using vulnerable PHPMyAdmin. Comes with DDoS bot but any kind of code can be loaded for Linux botnet creation.
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well.

It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack.
It is using
CVE-2009-1148 (unconfirmed)
CVE-2009-1149 (unconfirmed)
CVE-2009-1150 (unconfirmed)
CVE-2009-1151 (confirmed)

Version 12. May 26, 2011
additional changes (many thanks to kahusecurity.com)

See the list of packs covered in the list below

The full table in xls format - Version 12 can be downloaded from here.
I want to thank everyone who sent packs and information  :)

Version 11 May 26, 2011 Changes:
    1. Phoenix2.7
    2. "Dloader" (well, dloader is a loader but the pack is  some unnamed pack http://damagelab.org/lofiversion/index.php?t=20852)
    3. nuclear pack
    4. Katrin
    5. Robopak
    6. Blackhole exploit kit 1.1.0
    7. Mushroom/unknown
    8. Open Source Exploit kit


    10. May 8, 2011 Version 10        Exploit Pack Table_V10May11
    First, I want to thank everyone who sent and posted comments for updates and corrections. 

    *** The Wild Wild West picture is from a great post about evolution of exploit packs by Kahu Security  Wild Wild West Update

    As usual, send your corrections and update lists.

    • Eleonore 1.6.4
    • Eleonore 1.6.3a
    • Incognito
    • Blackhole
    Go1Pack  (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack 
    Also, here is another article claiming it is not a fake http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
    Go1 Pack CVE are reportedly

    Does anyone have this pack or see it offered for sale?

    Exploit kits I am planning to analyze and add (and/or find CVE listing for) are:

    • Open Source Exploit Kit
    • SALO
    • K0de

    Black color entries by Francois Paget
    Red color entries by Gunther
    Blue color entries by Mila

    Also, here is a great presentation by Ratsoul (Donato Ferrante) about Java Exploits (http://www.inreverse.net/?p=1687)

     9.  April 5, 2011  Version 9        ExploitPackTable_V9Apr11

    It actually needs another update but I am posting it now and will issue version 10 as soon as I can.

    Phoenix 2.5
    Bleeding life

    Many thanks to Gunther for his contributions.
    If you wish to add some, please send your info together with the reference links. Also please feel free to send corrections if you notice any mistakes

    8. Update 8 Oct 22, 2010 Version 8 ExploitPackTable_V8Oct22-10

    1. Eleonore 1.4.4 Moded added (thanks to malwareint.blogspot.com)
    2. Correction on CVE-2010-0746 in Phoenix 2.2 and 2.3. It is a mistake and the correct CVE is CVE-2010-0886 (thanks to
      etonshell for noticing)
    3. SEO Sploit pack added (thanks to whsbehind.blogspot.com,  evilcodecave.blogspot.com and blog.ahnlab.com)

    7. Update 7 Oct 18, 2010 Version 7 ExploitPackTable_V7Oct18-10 released
     thanks to SecNiche we have updates for Phoenix 2.4 :)
    We also added shorthand/slang/abbreviated names for exploits for easy matching of exploits to CVE in the future. Please send us more information re packs, exploit names that can be added in the list. Thank you!

    6. Update 6 Sept 27, 2010 Version 6 ExploitPackTable_V6Sept26-10 released
     Thanks to Francois Paget (McAfee) we have updates for Phoenix 2.2 and Phoenix 2.3

    5. Update 5. Sept 27, 2010 Version 5 ExploitPackTable_V5Sept26-10 released
    Added updates for Phoenix 2.1 and Crimepack 3.1.3

    4 Update 4  July 23, 2010  Version 4 ExploitPackTable_V4Ju23-10 released. Added a new Russian exploit kit called Zombie Infection Kit to the table. Read more at malwareview.com
    Update 3  July 7, 2010. Please read more about this on the Brian Krebs' blog Pirate Bay Hack Exposes User Booty 
    Update 2 June 27, 2010 Sorry but Impassioned Framework is back where it belongs - blue
    Update 1 June 24, 2010 Eleonore 1.4.1 columns was updated to include the correct list of the current exploits.

    Francois Paget  www.avertlabs.com kindly agreed to allow us to make additions to his Overview of Exploit Packs table published on Avertlabs (McAfee Blog)

    Many thanks to Gunther from ARTeam for his help with the update. There are a few blanks and question marks, please do no hesitate to email me if you know the answer or if you see any errors.

    Please click on the image below to expand it (it is a partial screenshot)  Impassioned Framework is tentatively marked a different color because the author claims it is a security audit tool not exploit pack. However, there was no sufficient information provided yet to validate such claims. The pack is temporarily/tentatively marked a different color. We'll keep you posted.

    Posted: 20 Mar 2015 | 8:48 pm

    Our VPN Service Takes Your Privacy Seriously

    TorrentFreak recently asked "leading [VPN] providers about their logging practices and other privacy sensitive policies."

    TorrentFreak Questions

    Questions such as:

    1 — Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

    2 — Under what jurisdiction(s) does your company operate?

    3 — What tools are used to monitor and mitigate abuse of your service?

    The folks responsible for our Freedome VPN answered:

    TorrentFreak Answers

    Read all the questions/answers at TorrentFreak and/or our Safe and Savvy blog.

    On 19/03/15 At 03:26 PM

    Posted: 19 Mar 2015 | 6:30 am

    Malicious Word Macro Caught Using Sneaky Trick

    There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I’m not sure if this is an old trick. I just haven’t seen this method used before and thought it was quite clever.

    Here’s the email that had a zipped file attached. The zipped file contained a Word document. The email in poor English says, “Thank you for payment. Your invoice…is attached. Thank you for your business – we appreciate it very much.”


    Opening the Word document, first thing you’ll notice is the security warning and below it a bunch of garbled text. A message above it says, “If you document have incorrect encoding – enable macro.”


    Clicking on the “Enable Content” button then reveals the invoice, making this (slightly) more believable and possibly enough to convince the unsuspecting recipient.


    Using OfficeMalScanner, the macros, specifically the one called “ThisDocument” can be dumped to a file for analysis.


    Let’s try it with OleDump. It nicely shows the objects inside of the document.


    We can also dump the ‘ThisDocument’ object.


    Looking at the macro, we can see a bunch of string concatenation going on and typical garbage in between legitimate VBA code.


    A quarter ways in, there’s some URLs to take note of.


    Basically the VBA macro builds a VBS script and writes it out.


    Interestingly, this VBS calls up a Powershell file. How vogue. It’s now very clear what it’s doing — downloading and executing a file from Internet then downloading an image for statistics and cleaning up.


    Let me download the file…


    And see what VirusTotal has to say…


    Regarding that image download, here’s what it is:


    The image’s download stats are in that red box. Not sure how many are victims vs security folks but that could be an impressive number.


    Going back to the macro, I wanted to find out how it “decrypted” the gibberish into text. Near the bottom, I see reference to “findText” and “secondText” followed by some clean-up code.


    The findText subroutine shows that it looks for content between “<select></select>” tags then deletes it.


    The secondText routine looks for “<inbox></inbox>” tags and changes the contents’ font color to black.


    Ah! It’s not doing any decryption, it’s just some clever sleight of hand. The invoice text was there all along, hidden with white text. Here you can see the hidden content in green.


    Sneaky indeed.

    Posted: 6 Mar 2015 | 8:24 pm

    From Russia with love: Sofacy/Sednit/APT28 is in town

    Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

    FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.

    We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

    The techniques used by this group have evolved over the years.

    - Spearphishing

    Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

    As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

    We cover these tools using the following rules with USM:

    - Web compromises

    The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

    The following rule detects activity related to this exploit kit:

    - Phishing campaigns

    This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.

    Inspecting the content of the malicious redirect we can alert on this activity using the following rule:


    [1] http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf
    [2] http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/
    [3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
    [4] http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
    [5] http://malware.prevenity.com/2014/08/malware-info.html
    [6] http://www.fireeye.com/resources/pdfs/apt28.pdf


    Posted: 28 Oct 2014 | 9:30 pm

    A More Realistic Perspective on Cybersecurity from the Director of the NSA

    A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.

    The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.

    Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.

    At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.

    If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.

    NSA Rodgers Urges Cyber-Resiliency

    Posted: 19 Sep 2014 | 2:44 pm