GPack

Correction: Sorry folks... there's so much happening at the moment, I've merged a couple of kits in my mind. It's not a mix of vbscript and javascript. It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that. The rest of the write-up is reasonably accurate, and we'll continue to correct things as we find more.

Hi folks,

A new exploit framework, called Gpack, has been popping up on our radar for a while now. We couldn't find much information on it, so we thought we'd better write some.

The first interesting thing about it is that the external, obfuscated wrapping script is a mix of vbscript and javascript. In other words, some of it is interpretted by the vbscript engine, and then the result of that is used to interpret the javascript portion. The idea here is to make it hard to decrypt and hard for av engines to follow it. To some extent they're successful with this, as the un-obfuscated code is seriously ugly and hard to follow.

The second interesting point is that there is nothing new in it. They've gone to a lot of trouble to obfuscate some really old and common exploits.

The third interesting thing is the number of innocent websites that have been hacked by someone pointing back at this kit. There are lots and lots of them... mostly mom and pop shops, but _lots_. We haven't figured out what the common thread between them is so far, but there clearly is one, for so many to be hacked.

The fourth interesting thing is that while there is clearly more than one set of Bad Guys involved, most of them seem to being hosted by the same ISP, because the exploit IPs are similar.

By the way, the exploit set seems to be:

MDAC/ MS06-014
MDAC variant - MS06-042
QuickTime
SetSlice
WinZip
VML

These are very common, and we can assume the author simply lifted them from the public domain, and put most of his effort into the obfuscation.

Nothing new here folks, except that it's being quite widely adopted.

Cheers

Roger