begood Posted October 15, 2010 Report Share Posted October 15, 2010 Phoenix exploit kit is one of the best Browser Exploit Pack (BEP) in the market nowadays. Looking at the pace of development, it seems like we are going to see plethora of advancements in this BEP. In this post , we are aiming to disclose some of the findings and reviews about the latest Phoenix BEP version 2.4. Primarily, we will be talking about the following metrics in detail to discuss the impact of this BEP.1. Exploitation Success Rate (ESR).2. Loader Infection Success Rate (LISR).The most critical part of testing BEP's is to determine the success rate of loading a bot or executable once the target is exploited in real time environment. This metric is quite important because number of browser exploit packs suffer from huge loss in loading activity even after the exploitation. However, many times it has been noticed that most of the statistics provided by BEP's claiming the fact that infection rate based on ESR to be thousands of machines. But the installation rate is very less. Based on our analysis, we are raising a point on the effectiveness of BEP. If the exploitation rate is high it means the BEP has to be robust enough to perform the successful installs.A generic experiment was conducted on some of the samples of Phoenix Exploit Kit 2.x - 2.4 in a controlled environment to detect the possible rates of infection. The output is presented as follows[1] Browser Exploitation Ration (BER)Microsoft Internet Explorer (IE6+IE7+IE8) - 25% Firefox (All Versions) - 17% - 22%[2] Operating Systems Exploitation Rate (OSER)Windows XP : 25% - 30%Windows Vista : 18% - 22% Windows 7 : 5% - 8% [3] Traffic Infection Rate (TIR)Mixed Traffic Rate (Hard+Generic) = 70% - 80% [4] Loader Infection Success Rate (LISR)Loader Installation Rate after exploitation - 90%This gives us an indication about the exploitation ratios of browsers and operating systems. Windows 7 shows less vulnerable because of the protection mechanisms developed in it. Phoenix BEP converts 70%-80% of traffic to be infected. As it has been discussed above, the loader installation loss is quite less as compared to other BEP's. We can consider the fact of firewalls and other possible scenarios where security mechanisms can reduce the loader installation rate to 10%-15%.However, considering the stats the rate is still high.Note: The infection rate varies depending on the rate of traffic but the overall stats remain the same.With the release of version 2.4 we will be encountering following exploits and codesAdded JAVA TC (privilege escalation) which works instead of JAVA DE-SERIALIZE and JAVA GSB exploits.It breaks JRE/JDK 1.5.0-1.5.0_23 and 1.6.0-1.6.0_18 on Win XP/VISTA/7.Added QUICKTIME exploit for QUICKTIME PLAYER v. 7.6.6-7.6.7 on Win XP for IE 6/7/8.Added PDF FONT exploit for ADOBE READER 9.3.1-9.3.4 on Win XP/VISTA/7. Vulnerability is not patched yet!(Hitting Anti Viruses Hard) Random file-names of BEP structure.(Stealth Technique) Link Encryption in JAVA exploit.Phoenix 2.4 has shown good advancements. So overall this exploit pack is building really good codes to dismantle the web.Malware at Stake: Phoenix Exploit Kit (2.4) - Infection Analysis Quote Link to comment Share on other sites More sharing options...
Alexandr69 Posted October 17, 2010 Report Share Posted October 17, 2010 Link to download will be? Quote Link to comment Share on other sites More sharing options...
Vlachs Posted October 17, 2010 Report Share Posted October 17, 2010 Link to download will be?will be all in ma-ta Quote Link to comment Share on other sites More sharing options...
Kubanezi Posted December 25, 2010 Report Share Posted December 25, 2010 is this fud Quote Link to comment Share on other sites More sharing options...
metisdk Posted December 26, 2010 Report Share Posted December 26, 2010 Phoenix exploit pack 2.4, furata de pe un hosting de instalat se instaleaza normal, problema e ca exploiturile trebuie de "dezlegat" adica pe alt hosting ele nu vor fi active (rata de infectare va fi de 0%), daca cineva o face sa lucreze ii dau si pack 2.6http://www.sendspace.com/file/v56inr Quote Link to comment Share on other sites More sharing options...
DarkIceee Posted December 26, 2010 Report Share Posted December 26, 2010 E bindat pe domeniu degeaba il iei tu de acolo , rata o sa fie 0 , iti trebuie cineva sa il crackuiasca Quote Link to comment Share on other sites More sharing options...
metisdk Posted December 26, 2010 Report Share Posted December 26, 2010 asta si am spus referitor la 2.42.6 il am deja clean, (ESR~28%) Quote Link to comment Share on other sites More sharing options...
DarkIceee Posted December 26, 2010 Report Share Posted December 26, 2010 asta si am spus referitor la 2.42.6 il am deja clean, (ESR~28%)ai 2.6 liber , direct kit si merge pus oriunde sau si ala ii bindat ? Quote Link to comment Share on other sites More sharing options...
metisdk Posted December 26, 2010 Report Share Posted December 26, 2010 direct kit si merge pus oriunde) Quote Link to comment Share on other sites More sharing options...
C!rrus Posted January 12, 2011 Report Share Posted January 12, 2011 hi i wath buy one copy the exploit pack please contact:yekumifa@hotmail.com Quote Link to comment Share on other sites More sharing options...
michee Posted January 16, 2011 Report Share Posted January 16, 2011 in principiu cred ca l-am cam rezolvat.....imi poate spune cineva un editor pdf? Cu ajutorul caruia sa vad daca un pdf contine cod javascript si ce cod mai contine.......? Quote Link to comment Share on other sites More sharing options...
johnyinc Posted February 11, 2011 Report Share Posted February 11, 2011 salut, am v 2.5 pe domeniu meu bindat, luat de la autorare cineva vreo idee daca fisierele cryptate sunt facute cu ioncube / phpshield / zend ?iar daca nu, cu ce sunt criptate ?nu va trece nerecopensat Quote Link to comment Share on other sites More sharing options...