Category Archives: Exploit Kits

Exploit kits are a type of malicious toolkit used to exploit security holes found in software applications (Adobe Reader, etc) for the purpose of spreading malware. These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers. While the process of becoming exploited by one of these kits will vary, the procedure usually goes a bit like this:

A victim visits a website whose server has been hacked by cybercriminals.
The victim is redirected through various intermediary servers
The victim lands at a rogue server hosting the exploit kit
The exploit kit gathers information on the victim and determines the exploit to deliver
Exploit is delivered
If exploit succeeds, a malicious payload (custom malware program) is downloaded to the victim’s computer and executed.

Nuclear Exploit Kit with Callbacks PCAP Converted Traffic Sample

2015-02-04 11:51:34.092279 IP 192.168.221.134.63245 > 192.168.221.2.53: 19334+ A? www.clearimagedevices[.]com. (43) E..GU-……………..5.3LcK…………www.clearimagedevices[.]com….. 2015-02-04 11:51:34.135718 IP 192.168.221.2.53 > 192.168.221.134.63245: 19334 1/0/0 A 64.9.192.3 (59) E..W.!……………5…C..K…………www.clearimagedevices[.]com……………..@ .. 2015-02-04 11:51:34.139407 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [S], seq 2253522424, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 E..4U/@….Y….@ …..P.R…….. ._]………….. 2015-02-04 11:51:34.242046 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [S.], seq 3104561041,… Read More »

Share Button

RIG EK Web Exploit Kit Exploiting Vulnerable FLASH x-flash-version: 11,8,800,94 Traffic Sample

2015-02-06 12:17:55.655135 IP 192.168.138.158.49166 > 46.182.30.163.80: Flags [P.], seq 1:609, ack 1, win 64240, length 608 E….3@…^…………P.. .|.}3P…….GET /?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|MzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center… Read More »

Share Button

Magnitude EK Web Based Exploit Kit FLASH Vulnerability PCAP Converted Sample

2015-02-12 20:49:12.374714 IP 192.168.198.136.49482 > 46.166.182.101.80: Flags [P.], seq 1:749, ack 1, win 64240, length 748 E…’.@…c……..e.J.P….9.X”P…|…GET /?2654434052544748554a47524308414949414a430845494b hxxp/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: [redacted] Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip,… Read More »

Share Button

Blackhole v1 Exploit Kit – Tries PDF but Exploits Vulnerable Java

2012-09-18 22:41:41.081678 IP 192.168.106.131.1325 > 192.168.106.2.53: 35602+ A? arksylhet[.]com. (31) E..;)………j…j..-.5.’.`………… arksylhet[.]com….. 2012-09-18 22:41:41.212429 IP 192.168.106.2.53 > 192.168.106.131.1325: 35602 1/0/0 A 216.246.98.78 (47) E..K_……3..j…j..5.-.7………….. arksylhet[.]com……………….bN 2012-09-18 22:41:41.214138 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [S], seq 56424381, win 64240, options [mss 1460,nop,nop,sackOK], length 0 E..0).@…jk..j…bN…P.\……p… ……….. 2012-09-18 22:41:41.417038 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [S.], seq 816984929, ack… Read More »

Share Button

Blackhole v2.0 Exploit Kit Vector Java uses injected link and java applet

2012-09-18 22:41:41.081678 IP 192.168.106.131.1325 > 192.168.106.2.53: 35602+ A? arksylhet[.]com. (31) E..;)………j…j..-.5.’.`………… arksylhet[.]com….. 2012-09-18 22:41:41.212429 IP 192.168.106.2.53 > 192.168.106.131.1325: 35602 1/0/0 A 216.246.98.78 (47) E..K_……3..j…j..5.-.7………….. arksylhet[.]com……………….bN 2012-09-18 22:41:41.214138 IP 192.168.106.131.1409 > 216.246.98.78.80: Flags [S], seq 56424381, win 64240, options [mss 1460,nop,nop,sackOK], length 0 E..0).@…jk..j…bN…P.\……p… ……….. 2012-09-18 22:41:41.417038 IP 216.246.98.78.80 > 192.168.106.131.1409: Flags [S.], seq 816984929, ack… Read More »

Share Button