Phoenix Exploit Kit (2.4) - Infection Analysis

[begood]

Phoenix exploit kit is one of the best Browser Exploit Pack (BEP) in the market nowadays. Looking at the pace of development, it seems like we are going to see plethora of advancements in this BEP. In this post , we are aiming to disclose some of the findings and reviews about the latest Phoenix BEP version 2.4. Primarily, we will be talking about the following metrics in detail to discuss the impact of this BEP.

1. Exploitation Success Rate (ESR).

2. Loader Infection Success Rate (LISR).

The most critical part of testing BEP's is to determine the success rate of loading a bot or executable once the target is exploited in real time environment. This metric is quite important because number of browser exploit packs suffer from huge loss in loading activity even after the exploitation. However, many times it has been noticed that most of the statistics provided by BEP's claiming the fact that infection rate based on ESR to be thousands of machines. But the installation rate is very less. Based on our analysis, we are raising a point on the effectiveness of BEP. If the exploitation rate is high it means the BEP has to be robust enough to perform the successful installs.

A generic experiment was conducted on some of the samples of Phoenix Exploit Kit 2.x - 2.4 in a controlled environment to detect the possible rates of infection. The output is presented as follows

[1] Browser Exploitation Ration (BER)

Microsoft Internet Explorer (IE6+IE7+IE8) - 25%

Firefox (All Versions) - 17% - 22%

[2] Operating Systems Exploitation Rate (OSER)

Windows XP : 25% - 30%

Windows Vista : 18% - 22%

Windows 7 : 5% - 8%

[3] Traffic Infection Rate (TIR)

Mixed Traffic Rate (Hard+Generic) = 70% - 80%

[4] Loader Infection Success Rate (LISR)

Loader Installation Rate after exploitation - 90%

This gives us an indication about the exploitation ratios of browsers and operating systems. Windows 7 shows less vulnerable because of the protection mechanisms developed in it. Phoenix BEP converts 70%-80% of traffic to be infected. As it has been discussed above, the loader installation loss is quite less as compared to other BEP's. We can consider the fact of firewalls and other possible scenarios where security mechanisms can reduce the loader installation rate to 10%-15%.However, considering the stats the rate is still high.

Note: The infection rate varies depending on the rate of traffic but the overall stats remain the same.

With the release of version 2.4 we will be encountering following exploits and codes

Added JAVA TC (privilege escalation) which works instead of JAVA DE-SERIALIZE and JAVA GSB exploits.It breaks JRE/JDK 1.5.0-1.5.0_23 and 1.6.0-1.6.0_18 on Win XP/VISTA/7.

Added QUICKTIME exploit for QUICKTIME PLAYER v. 7.6.6-7.6.7 on Win XP for IE 6/7/8.

Added PDF FONT exploit for ADOBE READER 9.3.1-9.3.4 on Win XP/VISTA/7. Vulnerability is not patched yet!

(Hitting Anti Viruses Hard) Random file-names of BEP structure.

(Stealth Technique) Link Encryption in JAVA exploit.

Phoenix 2.4 has shown good advancements. So overall this exploit pack is building really good codes to dismantle the web.

Malware at Stake: Phoenix Exploit Kit (2.4) - Infection Analysis

[Alexandr69]

Link to download will be?

[Vlachs]

Link to download will be?

will be all in ma-ta

[Kubanezi]

is this fud

[metisdk]

Phoenix exploit pack 2.4, furata de pe un hosting

de instalat se instaleaza normal, problema e ca exploiturile trebuie de "dezlegat" adica pe alt hosting ele nu vor fi active (rata de infectare va fi de 0%), daca cineva o face sa lucreze ii dau si pack 2.6

http://www.sendspace.com/file/v56inr

[DarkIceee]

E bindat pe domeniu degeaba il iei tu de acolo , rata o sa fie 0 , iti trebuie cineva sa il crackuiasca

[metisdk]

asta si am spus referitor la 2.4

2.6 il am deja clean, (ESR~28%)

[DarkIceee]

asta si am spus referitor la 2.4

2.6 il am deja clean, (ESR~28%)

ai 2.6 liber , direct kit si merge pus oriunde sau si ala ii bindat ?

[metisdk]

direct kit si merge pus oriunde)

[C!rrus]

hi i wath buy one copy the exploit pack please contact:yekumifa@hotmail.com

[michee]

in principiu cred ca l-am cam rezolvat.....imi poate spune cineva un editor pdf? Cu ajutorul caruia sa vad daca un pdf contine cod javascript si ce cod mai contine.......?

[johnyinc]

salut, am v 2.5 pe domeniu meu bindat, luat de la autor

are cineva vreo idee daca fisierele cryptate sunt facute cu ioncube / phpshield / zend ?

iar daca nu, cu ce sunt criptate ?

nu va trece nerecopensat