Sunday, April 27, 2008

The FirePack Exploitation Kit - Part Two

Has the web malware exploitations kits cash bubble popped already? A recently released, yet another proprietary version of the Firepack malware exploitation kit and its largely decreased price from the original one, which in February was $3000, speaks for itself. Firepack's original version was a great example of biased exclusiveness on behalf of the malicious parties, wanting to quickly cash in by pitching a new and undetected malware kit, and literally zero differentiaton factor next to now commodity web malware exploitations kits such as IcePack and MPack.

The original Firepack kit came with six exploits included within, and more to come in the scheduled updates to come. The exploits, and the current signature based detection rates are as follows :

FF5B341AC.php - MSIE 6
EF57CCF90.php - MSIE 7
EF57CCF90.php - Firefox 1
CCF45A00D.php - Firefox 2
CCF45A00D.php - Opera 7
99FFC5BA4.php - Opera 9

Scanners result : 11/32 (34.38%)
HTML/MS06006.DF!exploit; Exploit-MS06-006.gen
File size: 3685 bytes
MD5...: ed71d57ddf70a5993b34e3bbcda23f2d
SHA1..: cc0eceb9e8cc3475752c959be70204b6f4d82168

Scanners result : 6/32 (18.75%)
Trojan.DL.Script.JS.Agent.low; Exploit-OperaTN
File size: 1815 bytes
MD5...: 166fa42343dd59d941e24177a0da9102
SHA1..: e85701841a40c0017c06e2feb023272bff1b06f1

Scanners result : 15/32 (46.88%)
HTML/MS06006.BB!exploit; Exploit:JS/ShellCode.A
File size: 5861 bytes
MD5...: 9a6fe9ce8ed521ceb499954c944be812
SHA1..: 4ad63cc7ee602b2f57032b4e524064ac459df150

Scanners result : 18/30 (60%)
JS/MS05-054!exploit; Exp/MS06071-A
File size: 6996 bytes
MD5...: e5e3623838da4d0b7922a3cde229c7c3
SHA1..: 2d951f1368311873321b6bfc292644b090f93305

Scanners result : 10/32 (31.25%)
Generic.XPL.ADODB.42D1EF40; Exploit-MS06-014
File size: 2123 bytes
MD5...: bac1e03a64ba47a3005d435af8954cd6
SHA1..: e46afa408445ac5f2331119b746605a4bf8d0904

The latest release offered for $300, is entirely Internet Explorer centered, including all of the publicly available exploits for IE6 and IE7, with the natural modularity so that the buyer can include any set of exploits to serve of a large scale.

A proprietary tool or a service does not necessarily mean it outpaces a free one in terms of quality and reliability. Then again, when there's demand for web malware exploitation kits, there's also supply of what looks like commodity ones for the time being. The irony is what the sellers of these could actually be making more money from the services that they offer with the kit, than from volume based selling of the kits. What's to come? Hybrid web malware exploitation kits with all-in-one exploits set on a per OS, and software, not just browser basis, putting the emphasis on client side vulnerabilities even better.