Exploits for Opera9, Firefox, Internet Explorer 4, 5, 6, and 7. Seperate module to exploit Adobe Reader util.printf() (CVE-2008-2992) vulnerability. Also, includes a module to deliver binaries via social engineering the visitor into accepting the download, similar to Fake AV.
So, what's so unique about it? Nothing really. Perhaps the fact that it obfuscates its PHP code which contains exploits, which isn't difficult to take off. Also, maybe because it doesn't use any parameter passing to scripts via URL, as most other packs do. Here's a summary of some scripts:
"cfg/config.php"
Defines variables for loader and exploit URLs, database credentials, and control panel credentials.
URLs are defined for loader script ("load.php") and Adobe PDF exploit ("pdf.php").
Filename of binary which will be dropped ("1.exe").
Database host, name, credentials. Default DB name is "spl".
Control Panel's script name ("admcp.php"), username, and password (double MD5 hash of real pass). Default user is "root".
"cfg/options.php"
Defines functions and text for 404 page. Functions to identify browser, operating system, country (based on GeoIP), and encoding function to Unicode for Javascript (eg: "%u9090").
"cfg/mod_vparivatel.php"
Configuration variables for social engineering module to convince the user to download the binary, similar to the idea used in RogueAV schemes.
"install.php" or "_install.php"
Database creation script. Will connect to the database with configured credentials and create necessary table.
CREATE TABLE `statistic` (
`id` int(10) NOT NULL auto_increment,
`ip` varchar(15) default NULL,
`os` varchar(30) default NULL,
`br` varchar(30) default NULL,
`country` varchar(2) default '--',
`good` int(1) NOT NULL default '0',
`mv` int(1) NOT NULL default '0',
`refer` varchar(300) NOT NULL,
`date` datetime default '2008-10-01 00:00:00',
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=cp1251 AUTO_INCREMENT=1;
"index.php"
Checks for presence of "install.php" and executes it. If visitor's IP was already logged then aborts with HTTP 200 status but shows a 404 page as defined in the variable of the "cfg/options.php" file.
Identifies country, browser, operating system, referer, IP address and updates the database. Includes "sploit.php" file for exploit generation.
"sploits.php"
Checks if "Unique" name is defined and aborts with 404 message from predefined variable if not defined. Determines the browser and loads appropriate exploit script:
"sploit/op9.php" - Opera
"sploit/ff.php" - Firefox
"sploit/ie7.php" - Internet Explorer 7
"sploit/ie.php" - Internet Explorer 4, 5, or 6.
"load.php"
Reads the executable which was defined in config file and serves it to the user. Updates database column "good" for this connection's IP address.
"pdf.php"
Contains the exploit for Adobe Reader ; CVE-2008-2992 ; util.printf(). Interestingly, the file contains obfuscated PHP script to generate the exploit. It has some protection against people attempting to modify the code and print out the exploit. It reads itself and looks for calls to "print | sprint | echo" and aborts if found. This prevents people from simply modifying the "eval" statement to see the real exploit code.
"vparivatel.php"
Delivers an executable file using social engineering technique similar to RogueAV by convincing the user of a threat or some required update. Messages can be customized per browser, operating system, and country.
Checks if visiting IP was already given a binary using this method and aborts if found.
If GET parameter "?a" is set then delivers the binary otherwise displays a convincing message and redirects back to itself with proper parameter.
