Clik here to view.
Elaborate Black Hole Infection
I normally come across straight-forward drive-by downloads. Due to some website compromise, a web page is modified to include a link to a malicious website (e.g. iframe or external Javascript file)...
View ArticleClik here to view.
Two Drive-Bys, One Site
It’s bad enough to get hit with one drive-by download…but two on one page?! It’s probably separate compromises made by two different people. One thing is for sure though…what’s common to all these...
View ArticleClik here to view.
Chinese Exploit Packs
While it can be difficult to attribute exploit packs in many cases, I believe it’s safe to say that there are a few made by Chinese authors. Their style can be seen across packs from the script used...
View ArticleClik here to view.
Hierarchy Exploit Pack
A new pack has emerged called Hierarchy Exploit Pack. Looks a lot like Eleonore but its exploits are different: CVE-2006-0003 CVE-2009-0927 CVE-2010-0094 CVE-2010-0188 CVE-2010-0806 CVE-2010-0840...
View ArticleClik here to view.
Techno XPack
There’s another new exploit pack in town called Techno XPack. This one looks like a re-skinned BleedingLife. Here’s a list of the exploits it’s packing: CVE-2008-2992 CVE-2010-0188 CVE-2010-0842...
View ArticleClik here to view.
Playing Hide and Seek with Malicious Scripts
When I encounter a drive-by download that involves a compromised host, there will usually be a malicious script somewhere on the website. The “malicious script” could be a meta refresh tag, an iframe,...
View ArticleClik here to view.
The Resurrection of RedKit
“RedKit” was once a thriving exploit pack then faded away leaving behind artifacts on several abandoned hosts which are still triggering broken redirection alerts to this day. Within the past couple of...
View Article
