McAfee Labs

An Overview of Exploit Packs

4
By on May 28, 2010

Today’s cybercriminals frequently use “exploit packs” to easily snare victims for their botnets. Users with underprotected computers who visit booby-trapped websites become the latest botnet zombies. I often receive requests asking me which exploit packs are current and which vulnerabilities they use.

To answer these inquiries, I’ve created a table that lists the exploits referenced by their Common Vulnerabilities & Exposures (CVE) names and their related kits. (Click on the image to enlarge it.)

Looking at this table, we can see that the most up-to-date kit is Crimepack.
Version 3.0 alpha is in the wild. In March 2010, Version 2.2.1 was offered for $400.

Next is the Phoenix Exploit Kit. Its price was around $400 in November 2009.

The Eleonore exploit pack is another popular tool. It was recently in the news after the hack of the United States Treasury website. In February 2010, Version 1.3.2 sold for $1,200. In July 2009, the Version 1.2 went for $700 plus $50 for an encrypter. For $1,500, buyers received a version allowing them to manage the tool through their own domains.

Next we have Fragus ($800), Yes Exploit Kit, and Siberia. In April 2010, the Yes Exploit Kit Standard Edition sold for $900. For an additional $250, buyers could include an “abuse-immunity” Virtual Private Server for one month and two “abuse-immunity” domains.

In the final four columns you’ll find the oldest common tools, offered from 2006 to 2008: El Fiesta, Icepack, MPack. and WebAttacker.


4 Comments

  • Nice report, Francois.
    On the same subject, notice that in two weeks, TEHTRI-Security will explain how to strike back against those evil web tools, during next SyScan Singapore Conference.
    We will come with many innovative methods any tools that allows white hats to have a new way to get rid of those kind of threats.
    Some other packs we’ve been looking at, and that are not in the list you provided: Tornado, Limbo, Lucky, Neon, Nuke, Spack, Sploit, Unique, ZoPack…
    Feel free to share source code if you want us to analyze it. We love to have a look at the web part related to those exploits kits.
    Best regards, and thanks for this very interesting table.
    Laurent, CEO TEHTRI-Security

  • shellprompt

    Siberia contains at least 11 exploits. See screenshot @ http://3.bp.blogspot.com/_Mcy4oUq8gAQ/S__mJ6cigII/AAAAAAAAALE/kjug05Aai04/s1600/MI-siberia-exp-pack-exploits.png

  • I’ve seen several of the exploit packs using the recent Java web toolkit exploit. I don’t have my notes in front of me, but I feel like Elonore and Phoenix were all utilizing VU#886582. I don’t see that vuln on your list, but it’s been popping up everywhere.

  • wHiz0un

    First, the images doesn’t load.

    Second, Eleonore versions are a little bit unupdated. Data recovered from the readme.txt of version 1.4.1:

    1.3 [25.10.2009]
    1.3.1 [16.11.2009]
    1.3.2 [16.12.2009]
    1.4 [22.03.2010]
    1.4.1 [26.04.2010]

    Best regards.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>