Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: DIY Exploits Embedding Tools

Tuesday, September 04, 2007

DIY Exploits Embedding Tools - a Retrospective

Great analysis by the Spywareguide folks -- Chris Boyd and Peter Jayaraj in this assessment -- especially my deja vu moment with the King's IE Exploiter tool which I intented to cover in an upcoming post, in a combination with a brief retrospective of exploit and malware embedding tools that were empowering entire generations of script kiddies during the last couple of years. These tools are a great example of what the DIY trend used to look like before malicious economies of scale were embraced in the form of today's modular and efficiency-centered malware kits we're aware of.

-- The IE Exploiter v1.0/2.0

The tool is first know to have emerged back in 2002, with its latest version released in 2004. It was first branded

as the "Fearless IE Exploiter" and then returned back to it's original name. Description of the v1.0 : "Fearless IE Exploiter allows you to embed executable files into HTML documents, that when viewed in an unpatched version of Internet Explorer 5.* will automatically download and execute the .exe". And the description of v2.0 : "IE Exploiter v2 is a very simple tool that creates a HTML file with an embedded executable file. Once the HTML file is viewed the executable file will overwrite notepad.exe on the target system and then execute it using the view-source: prefix."

Result: 22/32 (68.75%)

File size: 149359 bytes

MD5: 315cd35aa5a0334697832e83fac7b0dc

SHA1: 71a7929f7781d969a63e532cd8cd877940a2ca12

-- King's IE Exploiter

King's IE Exploiter is an Arabic DIY exploit embedding tool released around 2004. Despite that the malware embedded sites generated on-the-fly come totally unobfuscated, we will yet wait and see the eventual release of such feature.

Result: 6/32 (18.75%)
File size: 253440 bytes

MD5: e6052d3abf95429fd761feef0a695470

SHA1: 9f91e21bf9e8898a09c36b31bb1f5afff3cb8f35

-- Zephyrus

Again relased around 2004, the description reads : "Its a prove of concept tool to generate a Stench MediaPlayer Exploit file more infos about stench can be found here http://malware.com or at here AVP calls it exploit.win32.zephyrus"

Result: 30/32 (93.75%)

-- God's Will

The description reads : "A GODMESSAGE page is an HTML page that works with an ACTIVEX bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when someone view our godmessaged page he downloads an HTA file in his STARTUP FOLDER.'

Result: 32/32 (100%)

-- Ed Html Infector

The description of the tool circa 2004 reads : "Ed HTML Infector is a very simple tool that creates HTML file with an embedded executable file within."

Result: 14/32 (43.75%)

File size: 118784 bytes

MD5: 94c642903318f89d410c64d46f2047aa

SHA1: b834cd34283e541dccb5aad81fb49ca97adbb48c

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. PGP Key ID: 83BF0DBA Phone: +1 646 419 4540 Approach me dancho.danchev@hush.com