The Phoenix Exploit Kit is now available in version 2.5 in the cybercrime underground.
Exploit kits are but one of the different tools used by cybercriminals for DIY Cybercrime. The Phoenix Exploit Kit is a good example of exploit packs used to exploit vulnerable software on computers of unsuspecting Internet users. Often, cybercriminals drive traffic to the exploit kit by compromising legitimate websites and inserting IFRAMEs that point to the exploit kit or by poisoning search engine results that take users to the exploit kit.
 |
When users land on a page injected with the exploit kit, it detects the version of the user’s Web browser and operating system and then attempts to exploit either the user’s browser or a browser plugin application. The latest version of the Phoenix Exploit Kit currently has payloads for nine different system configurations:
- XPIE7 – Internet Explorer 7 and either Windows XP, Windows XP SP2 or Windows 2003
- VISTAIE7 - Internet Explorer 7 and Windows Vista
- XPIE8 – Internet Explorer 8 and either Windows XP, Windows XP SP2 or Windows 2003
- VISTAIE8 – Internet Explorer 8 and Windows Vista
- IE – Versions of Internet Explorer that are not IE7 or IE8
- WIN7IE – Internet Explorer and Windows 7
- XPOTHER – Browsers other than Internet Explorer on Windows XP, Windows XP SP2 or Windows 2003
- VISTAOTHER – Browsers other than Internet Explorer on Windows Vista
- WIN7OTHER – Browsers other than Internet Explorer on Windows 7
Once users are directed to a payload page, the kit attempts to exploit vulnerabilities in versions of the Adobe PDF Reader, Adobe Flash, Internet Explorer and Java.
Java has become the leading exploit vector for a variety of exploit packs. In fact, the Phoenix Exploit Kit version 2.5 has been updated to include three additional Java exploits:
- JAVA RMI
- JAVA MIDI
- JAVA SKYLINE
The administration panel Phoenix Exploit Kit 2.5 contains an option to switch modes, which changes the Java exploit delivered to users. It allows the administrator to choose between TC (CVE-2010-0840), RMI or MIDI. This indicates that exploits for Java have become very attractive to malware distributors.
 |
By targeting a wide variety of configurations, the Phoenix Exploit Kit 2.5 attempts to maximize its ability to compromise Internet users. If the first exploit fails, it targets another vulnerable application on the user’s computer. As such, users are advised to always ensure that the applications installed on their computers are kept up-to-date so they can avoid possible exploit attacks.
Post from: TrendLabs | Malware Blog – by Trend Micro
Now Exploiting: Phoenix Exploit Kit Version 2.5
Full story: TrendLabs | Malware Blog – by Trend Micro
