About Me

Francois Paget

Francois Paget
Senior Threat Researcher

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

An Overview of Exploit Packs

Friday, May 28, 2010 at 11:01pm by Francois Paget
Francois Paget

Today’s cybercriminals frequently use “exploit packs” to easily snare victims for their botnets. Users with underprotected computers who visit booby-trapped websites become the latest botnet zombies. I often receive requests asking me which exploit packs are current and which vulnerabilities they use.

To answer these inquiries, I’ve created a table that lists the exploits referenced by their Common Vulnerabilities & Exposures (CVE) names and their related kits. (Click on the image to enlarge it.)

Looking at this table, we can see that the most up-to-date kit is Crimepack.
Version 3.0 alpha is in the wild. In March 2010, Version 2.2.1 was offered for $400.

Next is the Phoenix Exploit Kit. Its price was around $400 in November 2009.

The Eleonore exploit pack is another popular tool. It was recently in the news after the hack of the United States Treasury website. In February 2010, Version 1.3.2 sold for $1,200. In July 2009, the Version 1.2 went for $700 plus $50 for an encrypter. For $1,500, buyers received a version allowing them to manage the tool through their own domains.

Next we have Fragus ($800), Yes Exploit Kit, and Siberia. In April 2010, the Yes Exploit Kit Standard Edition sold for $900. For an additional $250, buyers could include an “abuse-immunity” Virtual Private Server for one month and two “abuse-immunity” domains.

In the final four columns you’ll find the oldest common tools, offered from 2006 to 2008: El Fiesta, Icepack, MPack. and WebAttacker.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (4)

  • Laurent OUDOT, from TEHTRI-Security June 1, 2010 10:43AM

    Nice report, Francois.
    On the same subject, notice that in two weeks, TEHTRI-Security will explain how to strike back against those evil web tools, during next SyScan Singapore Conference.
    We will come with many innovative methods any tools that allows white hats to have a new way to get rid of those kind of threats.
    Some other packs we’ve been looking at, and that are not in the list you provided: Tornado, Limbo, Lucky, Neon, Nuke, Spack, Sploit, Unique, ZoPack…
    Feel free to share source code if you want us to analyze it. We love to have a look at the web part related to those exploits kits.
    Best regards, and thanks for this very interesting table.
    Laurent, CEO TEHTRI-Security

    Reply
  • shellprompt June 1, 2010 4:07AM

    Siberia contains at least 11 exploits. See screenshot @ http://3.bp.blogspot.com/_Mcy4oUq8gAQ/S__mJ6cigII/AAAAAAAAALE/kjug05Aai04/s1600/MI-siberia-exp-pack-exploits.png

    Reply
  • Matthew Wollenweber May 31, 2010 6:37PM

    I’ve seen several of the exploit packs using the recent Java web toolkit exploit. I don’t have my notes in front of me, but I feel like Elonore and Phoenix were all utilizing VU#886582. I don’t see that vuln on your list, but it’s been popping up everywhere.

    Reply
  • wHiz0un May 29, 2010 11:25AM

    First, the images doesn’t load.

    Second, Eleonore versions are a little bit unupdated. Data recovered from the readme.txt of version 1.4.1:

    1.3 [25.10.2009]
    1.3.1 [16.11.2009]
    1.3.2 [16.12.2009]
    1.4 [22.03.2010]
    1.4.1 [26.04.2010]

    Best regards.

    Reply