Neosploit devel/updates retired! However...

It seems that development of this exploit pack has ended. The message basically states that efforts which are put into development are not returning enough income and supported is ending.

However, this does not mean that you will no longer see exploits delivered via this framework. There are many installations of it out there and it's still one of the best exploit packs, although it was expensive. Also, the Neo folks have released instructions/script on how to move the CGI program from one server to another. Previously, this had to be done with the help of Neosploit Support, as the binary was compiled for specific server. If source code is leaked out or released then it's highly likely that more malware will be delivered through it.

Now, that background info behind us, we have seen something interesting which leaves more questions then answers. We have identified a site which utilizes this pack to drop a binary which seems to be associated with the recent fake Antivirus malware.

What is of most interest is the fact that the obfuscated script, mainly the deobfuscation function has some modifications to its code. Several key statements were rearranged in such a way that logic isn't changed.

Why make such a change? Is it a change or some older build which had a short life span and wasn't updated since? We've been keeping an eye on Neosploit's progress for many months now and have never seen this code sequence. We have observed similar minor changes before, during active development, but now since it's supposedly retired the update does stand out. Is it possible that source code was leaked? or did someone just modify the binary in place, and for what purpose, evade detection?

More research is needed to confirm if this change occurs elsewhere, on other domains hosting Neosploit.

le fiesta - another exploit pack

This is yet another web based exploit pack which utilizes PHP and SQL. Overall, it's similar to the other PHP based packs except here the file structure is much more compact, not that it really matters, and it's less smart about serving out exploits (not loaders) to already visited victims.

Uses two layers of encryption/obfuscation via Javascript with random function and variable names upon each visit. Here's a rough list of included exploits:

COM objects

(see metasploit)

"?spl=com"

EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F CreateControlRange

"?spl=vml2"

DirectAnimation.PathControl

"?spl=wfi"

WebViewFolderIcon.WebViewFolderIcon.1 setSlice()

"?spl=zango1"

8C875948-9C60-4381-9248-0DF180542D53 DownloadAndExec()

"?spl=zango2"

BFC08CFF-C737-4433-BD5A-0EE7EFCFEE54 DownloadAndExec()

"?spl=myspace"

48DD0448-9209-4F81-9F6D-D83562940134

"?spl=ymj"

5F810AFC-BB5F-4416-BE63-E01DD117BD6C AddImage()

"?spl=buddy"

Sb.SuperBuddy.1 LinkSBIcons()

The ?spl= parameter will be passed to "load.php" which will update statistics of each exploit.

"Army cyber ops"...

In a Government Computer News article there was an interesting fact mentioned which hints at Army's cyber command centers ability to handle contigency issues.

It was stated that many of their links utilize undersea cables but some also use land based fiber. One of such land links was severed by a garbage truck, disabling service to their northern and southern continental CC for several hours.

Now, I know how difficult it can be to design and run a full contigency operation but one would think that with the budget and resources of a government such a goal should not pose too much of a problem. Apparently, this is not so for Army's cyber ops.

To be honest, it's a big surprise to me. I've seen companies not lose a single tcp connection upon core router/switch failures, cable cuts in server racks, and power outages in data centers and they don't have the same resources as the government can afford.

This isn't a good sign especially in light of more and more talk regarding large scale cyber warefare. Hopefuly, that garbage truck incident served as a lesson. On a bright side, at least the guys at the monitoring consoles got a decent break :)

Why I love cons...

Some great talks, interesting presentations and new ideas. Also, you get to meet very interesting people and get to pick their brains or just hang out and enjoy their strange and wonderful personalities.

However, the best is when you discover people who are true hackers. By that I mean people with a certain state of mind who take a creative approach to solve problems.

Here's an example which proves that a real hacker does not need a computer but only his brain:



And yes, this guy was hacking away at deciphering some message.