A new exploit framework, called Gpack, has been popping up on our radar for a while now. We couldn't find much information on it, so we thought we'd better write some.
The second interesting point is that there is nothing new in it. They've gone to a lot of trouble to obfuscate some really old and common exploits.
The third interesting thing is the number of innocent websites that have been hacked by someone pointing back at this kit. There are lots and lots of them... mostly mom and pop shops, but _lots_. We haven't figured out what the common thread between them is so far, but there clearly is one, for so many to be hacked.
The fourth interesting thing is that while there is clearly more than one set of Bad Guys involved, most of them seem to being hosted by the same ISP, because the exploit IPs are similar.
By the way, the exploit set seems to be:
MDAC variant - MS06-042
These are very common, and we can assume the author simply lifted them from the public domain, and put most of his effort into the obfuscation.
Nothing new here folks, except that it's being quite widely adopted.