Cool Exploit Kit – “We Try harder!”

2013.03.13

Heh, when I am sick – it’s time to hunt…

Prerequisites: 

Temperature: 37.8 C

Local Time: 23:00

Mood: [censored]

Test machine: fully updated (pdf, flash, java up to 7.u17)

Live Exploit Kits in list: 5

What we testing:

How dangerous can be surfing for those who follow best practices – at least performing updates.

Results:

All behavior among tested Exploit Kits, can be described as:

- If plugin-detect present, than system realize that no vulnerable plugins detected, and

- no exploit served at all [Safe End]

- last available Java exploit served. [Fail]

- If plugin-detect not present, than all available exploits execute and fail.

* Sometimes LibTiff exploit crash the PDF plugin, once Java cause error message appears…

Bottom line – if machine is up to date – well, leave it, there are plenty of easy targets around. 

Except for Cool Exploit Kit. Let me show You some fun stuff there… 

It landing page with plugin-detect served, push Java CVE-2013-0431 exploit (see it analysis by @SecObscurity )

It require permission to run

cek1

 

Ok. If You click Cancel – blank page for few seconds…

Waiting…

cek2

Second try! :) Ok, lets allow it, who cares! :)

cek4

Well, in here – same exploit. VT [6/45]

Well, that’s it, no harm? :)

No, as I said – “Cool Exploit Kit” mojo “We try harder!” :)

Voila:

cek6

Ha, since no exploits for our machine, let’s use  old school trick! :) VT [22/45]

Nice try, that eventually reach it target – amount of “installs” grows.

Conclusions:

Well, once Cool EK was announced, it was quite similar to BHEK2… Than it appear that new exploits added there faster and work more “clean”. Fast implementation of recent line of Java and Flash exploits. Hard obfuscation techniques. Maybe, after Yesterday’s patch Tuesday we’ll see new exploits there.. But here we may see also some tricks that add sophistication to this Exploit kit… It actually try harder… Kinda like to have such enemies, it’s more fun to defeat them. :-)

Stay Safe

D.L.

3 comments

  1. great post Denis :). Anyway my twitter name is @SecObscurity not @SecObscure.

    SecurityObscurity, 14/03/2013
  2. I see, my mistake :)
    Updated!

    Denis, 14/03/2013
  3. Yeѕ! Finally something about newly.

    click here, 03/01/2014

Leave a comment