Hi folks,
Welcome to 2008. Let's hope it's a safer year than last.
Given that Neosploit seems to be gaining in popularity, and seems to be being modified fairly often, we thought it would be worthwhile to take a bit of a snapshot of it, for posterity's sake, if nothing else.
Here's what we're seeing in January 2008: (Props to Glenn Jordan of AVG/ Grisoft, and Nick FitzGerald for their Most Excellent help with decryption and analysis)
First there's a sort of pre-amble... typically there is a launcher script whose job it is to simply redirect to the exploit script. We say "simply" with our tongue firmly in our cheek because the launch scripts are typically encoded twice with Neosploit to make it hard for crawl-bots (but not a browser) to follow, and it appears that they might be encoded with the ip of victim, so that the exe is hard to get (except for a victim).
Then the exploit script itself is also double encoded, again with the Neo-algorithm, and contains the following exploits...
(1) first is the venerable MDAC (MS06-014). It's old, (worked up to Sep 2006), but it works like a charm if you're not patched.
(2) second is one of the many QuickTime exploits. It's not easy to determine which version it is, but it's probably one of last years.
(3) three is AOL's SuperBuddy, from April 2007
(4) is an NCTAudioFile2 overflow from January 2007
(5) is the GomWebCtrl from October 2007, and which has recently appeared in the Storm exploit pack as well (an idea that is Catching On (tm))
(6) is SetSlice, patched in October 2006 and
(7) is the ANI exploit from April 2007.
Interestingly the previously-popular WinZip exploit has been dropped.
The payload, or the exe that gets delivered, of course varies from website to website.
It will be interesting to see how long it takes to update it with the current RealPlayer exploit.
Keep safe folks!
Roger
Labels: storm neosploit