Exploitpacktable 2014

CVE

slang/shorthand

Product / type . < means that v. and below

Exploit Description

CVE-2006-0003 mdac

IE 6

Pack Release Date (SEE OLDER PACKS ON TAB 3 BELOW) or Analysis date MS IE _ MSHTML IE6 MS IE _ IE 5.01, 5.5, and 6 DHTML Method Heap Memory Corruption Vulnerability MS IE _MS06-014 for lE6/Microsoft Data Access Components (MDAC) Remote Code Execution

CVE-2007-5659 collab, collectEmaillnfo /2008-0655

PDF < 8.1.1

ADOBE PDF _Exploit -collab, collectEmaillnfo

CVE-2004-0549

IE 6

CVE-2005-0055

IE 5, 6

m_Cor_n / MS Off Snapshot IE

CVE-2008-2463 snapshot/ activexbundle CVE-2009- Mozilla FF 3.5 / font tags | FF escape retval 2477 CVE-2008-2992 util.printf Java JRE/Javad0/Javado/Java

CVE-2008-5353 Calendar/javaold/JavaSr0 CVE-2009IE7 MEMCOR MS09-002 0075/0076

CVE-2009-0927 PDF collab.getIcon / pdf-gi

IE- MSAccess

MS OFFICE _M508-041 - MS Access Snapshot Viewer

FF < 3.5.1

FIREFOX - Font tags | Firefox 3.5 escape() Return Value Memory Corruption

PDF < 8.1.2

ADOBE PDF _Exploit• util.printf

Java < 6u10

JAVA _Javad0—JRECalendar Java Deserialize

IE 7

MS IE _ MS09-002 - lE7 Memory Corruption

PDF < 9.1

ADOBE PDF _ Exploit- collab.getlcon

CVE-2009-1136 spreadsheet

IE - MSOffice

MS OFFICE _ MSO9-043 - lE OWC Spreadsheet ActiveX control Memory Corruption

CVE-2009-3867 JAVA GSB

Java < 6u17

JAVA _Runtime Env. getSoundBank Stack BOF

PDF < 9.3

ADOBE PDF Exploit - docmedianewPlayer

CVE-2009-4324

PDF mediaNewPlayer / pdfmp

CVE-2010-0188 PDF Libtiff / Lib

PDF < 9.3.1

ADOBE PDF Exploit - LibTiff Integer Overflow

CVE-2010-0094 javarmi

Java < 6u18

JAVA _ Runtime Environment component in Oracle Java SE

CVE-2010-0806 IEPeers msiemc

IE 7

CVE-2010-1297 PDF SWF

MS IE _ IEPeers Remote Code Execution IE7 Unitialized Memory Corruption JAVA _ Trusted Method Chaining - Java getValue Remote Code Execution JAVA 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 -via MIDI file with a crafted MixerSequencer object JAVA _ SMB / Java JDT 6 Upd 10-19 * Requires xtra components ADOBE PDF _ Open/Launch embedded exe via built in functionality, ability to change prompt text. Didier Stevens. SWF < 10.1.53.64 ADOBE FLASH - "PDF SWF"

CVE-2010-1423 javanew JWS

Java 6u10,19

CVE-2010-1885 hcp

WIN XP-2003

CVE-2010-0840

JAVA TC (?) javagetval OBE Java invoke / Java Trust

CVE-2010-0842 JAVA MIDI Java OBE

Java < 6u19

SWF < 10.2.152.26 SWF < 10.2.152.26 SWF < 10.2.154.27

ADOBE FLASH _ authplay.dll ActionScript AVM2 memory corruption Vulnerability – Adobe Reader < 9.4.0 – ALL Win JAVA _ Unspecified vulnerability in the New Java Plug-in – Java 6 < Update 22 – IE Only – ALL Windows ADOBE FLASH _ memory corruption and application crash via crafted SWF content October 2010. IE Use-after-free IE 6, 7, and 8 "invalid flag reference" issue or "Uninitialized Memory Corruption Vulnerability," JAVA _Sun Java Applet2ClassLoader Remote Code Execution Exploit JAVA _ www.metasploit. com/modules/exploit/multi/browser/java_signed_applet ADOBE FLASH _ Integer overflow in Adobe Flash Player before 10.2.152.26 ADOBE FLASH _ Denial of service (memory corruption) via crafted parameters ADOBE FLASH -Microsoft Office document with an embedded . swf file

CVE-2011-1255 IE 6-8

IE 6-8

MS IE _Time Element Memory Corruption

CVE-2011-2110

SWF< 10.3.181.26 ADOBE FLASH _ Flash memory corruption June - 2011

SWF< 10.1.82.76

CVE-2010-3654 FlashPlayer Button

SWF < 10.1.102.64

CVE-2010-3962 IE CSS

IE 6, 7, 8

CVE-2010-4452 Java Codebase Trust

Java < 6u23

Signed Applet Signed Applet

JAVA SOCIAL

CVE: 20112371

FF Array.reduceRight() Exploit

SWF< 10.3.183.5

Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit

PDF < 10.1.1

ADOBE PDF _U3D onject memory corruption December 2011

CVE-2011-3106 Chrome websockets

CHROME < 19.0.1084.52

CHROME Websockets overflow

CVE-2011-3521

Java 6u27, 7

JAVA _Type confusion vulnerability in Oracle Java Update 27

TrueType Font - Duqu

CVE-2011-3544 Java Rhino CVE-2011-3659 Firefox 8/9 Firefox social FF Social

Java 6u27, 7

JAVA _ AtomicReferenceArray

2010-0188

2010-0188

MS WMP

CVE-2012-1889 IE XML memcor

XML IE

XML _ memory corruption

SAFARI < 6

SAFARI Webkit - memory corruption

Neutrino

Blackhole (last)*

10-'13

03-'13

10-'13

Blackhole 2.x Blackhole 2.0 Blackhole 1.2.5 Blackhole 1.2.3 09-'12

2006-0003

2006-0003

08-'12

12-'11

2006-0003

2006-0003

2007-5659 /2008-0655

2007-5659 /2008-0655

Crime Boss 2013

Crime Boss 2012

Grandsoft / SofosFO/Stamp EK

Grandsoft / SofosFO/Stamp EK

09-'12

09-'12

09-'13

09-'12

Crimeboss

10-'13

Private EK

Sakura

09-'13

09-'13

2006-0003

Sakura 1.0

LightsOut

Glazunov

Rawin

Flimkit

Cool EK (Kore-sh)

08-'12

01-'12

9-'13

08-'13

8-'13

08-'13

09-'13

2006-0003

2006-0003

Sakura 1.1

Kore (formely Sibhost known as (Urausy/BestAV Sibhost) EK) 08-'13

04-'13

Cool/Styxy

Styx 4.0

Cool

07-'13

05-'13

05-'13

Cool Jan 2013 ->

Cool

08-'12

08-'12

2006-0003

2006-0003

Styx 2.0

Topic

Nice EK

KaiXin Nov '12

KaiXin Aug '12

12-'12

12-'12

05-'13

03-'13

mid 2012

mid 2012

2007-5659 /2008-0655

2007-5659 /2008-0655

Styx 2.x 2013

G01pack

SPL Pack

Serenity pack

Alpha Pack

2006-0003

2006-0003

10-'12

2006-0003

2010-0188

2010-0188

2010-0188

2010-0188

2010-0188

2010-0188

2010-0188

2010-0188

2008-2992

2008-2992

2009-0927

2009-0927

2010-0188

2009-0927

2010-0188

2010-0188

2010-0188

2010-0188

2010-0188

2010-0188

2010-0188

2010-0188

2010-0188

2010-0806

2010-0806

2010-0842

2010-0842

CritXPack

Whitehole

Red Dot

11-'12

01-'13

12-'12

Assoc AiD (unconfirmed) No Name 09-'12

09-'12

2011-2140

2008-2992

2009-0927

2009-0927

2010-0188

2010-0188

2010-0188

2010-0188

2011-2140

2011-3544

2011-3544

2011-3544

2011-3544

2011-3544

-

IE VML

IE <10

IE Use-after-free vulnerability in IE 6 -10 - via a crafted web site that triggers access to a deleted object

Silverlight

Silverlight < 5.1.20913.0

SILVERLIGHT 5, 5 Dev. Runtime, < 5.1.20125.0 Double Dereference Vulnerability and SL 5 < 5.1.20913.0

IE < 10

IE InformationCardSigninHelper VulnerabiliIty

IE <11

IE Use-after-free vuln. in the CDisplayPointer class in mshtml.dll in IE6 11 - (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler

SWF<11. 7.700.252,<11. 9.900.152

FLASH - Memory Corruption

Number of exploits included

2012-1723

2012-1723

2012-0507

2011-3544

2012-1723

2012-1723

2012-0507

2012-1723

2012-1723

2011-3544

2011-3544?

2012-0507

2012-0507

2012-1723

2012-1723

2011-3544

2011-3544

2011-3544

2012-0754

2009-0927

2009-3867 2009-4324 2010-0188

2010-0188

2010-0806 2010-0840

2010-0806

2010-0188

2010-0806

2010-0840

2010-0806 2010-0840

2010-0842

2010-0842 2010-0886

2010-1297

2010-1885

2010-1297

2010-1885

2010-1885

2010-3552

SOCIAL

SOCIAL

SOCIAL

2011-0559 2011-0611 2011-1255

2011-2140

2011-1255

2011-0611

2011-1255 2011-2110

2011-2140

? flash-mp

2011-2110

2011-2110

2011-2140

2011-2140

2011-2110

2011-3402

2011-3544

2011-3544

2011-3544

2011-3544

2011-3544

2011-3544

2011-3544

2011-3544

2011-3402

2011-3402

2011-3402

2011-2140

2012-0507

2012-0507

2012-0775

2012-0775

Removed

2012-1723

2011-3544

2011-3544

2011-3544

2011-3544

2011-3544

2012-0507

2012-0507

Removed

2012-0507

Removed

2012-0754

2012-1723

2012-1723

2012-1723

2012-1723

2011-3544

2011-3544

2011-3544

2011-3544

2011-3544

2011-3544

2012-0003

2012-0507

2012-0507

2012-1723

2012-1723

2012-0507

2012-0507

2012-0754 2012-0775

2012-0507

2012-0507

2012-0507

2012-0507

2012-0507

2012-0507

2012-0507

2012-0779 Unknown CVE 2012-1535 2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1723

2012-1876

2012-4681

2012-4681

2012-5076

2012-5076

2012-4681

2012-4681

2012-4681

2012-4681

2012-4681

2012-5076

2012-5076

2012-1889

2012-1889

2012-4681

2012-4681

2012-1889

2012-4681

2012-4681

2012-5076

2012-5076

2012-4681

2012-4681

2012-4681

2012-4681

2012-4792

2012-1876

2012-1889

2012-1889

2012-4681

2012-4681

2012-1889

2012-1889

2012-1889

2012-4681

2012-4681

2012-4681

2012-4969

2012-4969

2012-4969

2012-4681

2012-4681

2012-4792

2012-5076

2012-5076

2012-5076

2012-4681

2012-4681

2012-4792

2012-4969

2012-5076

2012-5076

2012-5076

2012-5076

2012-5076

2013-0422

2013-0422

2013-0422

2012-0775 2012-1876 2012-1889 2013-0422

2013-0422

2013-0422 2013-0431

2013-0431

2013-0634

2013-0634

2013-0431

2013-0422

2013-0422

2013-0422

2013-0431

2013-0431

2013-0634

2013-0431

2013-0422

2013-0422

2013-0422

2013-0422

2013-0422

2013-0422

2013-0431

2013-0422

2013-0431

2013-0634 2013-1347

2013-0422

2013-0422

2013-0422

2013-0422

2013-0431

2013-0634

2013-0634

2013-1347

20131488 2013-1493

2013-1493

2013-1493

2013-1493

2013-1493

2013-1493

2013-1493

2013-1493

2013-1493

2013-1493

2013-2423

2013-2423

2013-1493

2013-1493

2013-1690 2013-2423

2013-2423

2013-2460

2013-2460

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

2013-2423

SOCIAL 2013-2460

2013-2460

2013-2460

2013-2460

2013-2463 2013-2465

2013-2465

2013-2463

2013-2465

2013-2471

2013-2471 ??

2013-2465 2013-2471

2013-2463

2013-2465

2013-2471

2013-2460

2013-2460

2013-2460

2013-2463

2013-2463

2013-2463

2013-2465 2013-2471

2013-2465 2013-2471

2013-2471

2013-2471

2013-2471 2013-2472

replaced by CVE2013-3918

2013-2551

2013-2551

2013-2551

2013-2551

2013-2551

2013-0074/3896

2013-0074/3896

20130074/3896

2013-2551

2013-2551

2013-2551 CVE-20130074/3896

2013-3918 2013-3897

2013-3897 2013-5329

Nuclear 3.x

6

Nuclear 3.x

5

3

$1,500

$1,500

Nuclear 2.2 - Nuclear 2.1 >

2

10

13

4

1

5?

7

Gong Da / GonDad

Gong Da / GonDad

Redkit 2.2

Goon (found to be Redkit 2.1)

Redkit

Redkit (former Puerto?)

$1,500 Nuclear 2.0

5

2?

3

5?

2?

2?

Fiesta (formerly Neosploit)

Neo Sploit

DotkaChef

Angler

FlashPack (child of SafePack / CritXPack/ Vintage Pack)

Safe Pack

CVE-2010-0188

CVE-2012-4681

CVE-2012-1723 CVE-2012-1723 CVE-2011-3402

CVE-2012-0507

CVE-2011-3544

CVE-2013-2471

CVE-2012-1723 CVE-2012-0507

CVE-2013-0074/3896

CVE-2012-1723

CVE-2012-4681 CVE-2011-3544

CVE-2012-1723

CVE-2012-0003

CVE-2013-1493

CVE-2013-0422 CVE-2012-1723

CVE-2013-0431

CVE-2013-2423 CVE-2013-2423

CVE-2012-5076

CVE-2012-1889

CVE-2012-0507

CVE-2013-2460

CVE-2013-1493 CVE-2012-4681

CVE-2013-0634

CVE-2013-2460 CVE-2013-2460

CVE-2013-0422

CVE-2013-3918 CVE-2013-2551

CVE-2012-1723 CVE-2012-1723 CVE-2013-0422 CVE-2013-0422

CVE-2011-3544

CVE-2012-4681 CVE-2012-5076

CVE-2011-2140

CVE-2013-2551

CVE-2012-0507

CVE-2010-0188 CVE-2010-0188

x2o (Redkit Light)

Exploits in ths pack - listing

CVE-2010-0188 CVE-2010-0188

CVE-2010-0188 CVE-2010-0188 CVE-2010-0188

?

3?

6

4

?

traff

Exploits in ths pack - listing

CVE-2012-1723 CVE-2012-4681

CVE-2013-2423 CVE-2012-5076 CVE-2013-0422 CVE-2013-2423

CVE-2013-2465

CVE-2013-2551

CVE-2012-5692

CVE-20130074/3896

CVE-2013-1493 CVE-2013-0634 CVE-2013-2423 CVE-2013-2551 CVE-2013-5329 CVE-2013-2471 ??

CVE-20130074/3896

CVE-2012-1723

CVE-2013-2551

CVE-2013-2423

9?

6?

2700

2700

3?

6

8

6

6

4?

5

$450-$1350 /mo

$450/mo

Author Paunch arrested in 10-'13

Neutrino

Neutrino

Blackhole (last)

5

Korean language NB Exploiter Version 2.8.4.6

6?

6?

11

1500

1500

10

Magnitude / Death Touch White Lotus (formerly known as Popads)

Popads

CVE-2011-3544 CVE-2011-3402

CVE-20130431

CVE-20132423

CVE-2013-2465 CVE-2012-0507

Social Eng

CVE-20132471

CVE-2012-1723 CVE-2010-0188 CVE-2010-0188 CVE-2010-0188

CVE-2012-1889

CVE-2011-2140 CVE-2011-0611 CVE-2010-3962

CVE-2011-3544 CVE-2013-2460

CVE-2013-0431

CVE-2013-2460

CVE-20132551

CVE-2012-5076 CVE-2011-3544 CVE-2011-3544 CVE-2011-3544

CVE-2012-4681

CVE-2011-3544 CVE-2011-2140 CVE-2011-1255

CVE-2013-0634 CVE-2013-2463*

CVE-2013-1493

CVE-2013-2471

CVE-2007-5659 CVE-2010-0188 CVE-2010-0188 CVE-2007-5659 /2008-0655 /2008-0655 CVE-2012-0507 CVE-2012-0507 CVE-2008-2992 CVE-2008-2992

CVE-2013-0431 CVE-2012-0507 CVE-2012-0507

CVE-20124792*

CVE-2012-0754 CVE-2011-3544 CVE-2011-0611

CVE-2013-2465 CVE-2013-2465*

CVE-2013-2423

and + all or some

CVE-2012-1723 CVE-2012-1723 CVE-2009-0927 CVE-2009-0927

CVE-2013-2551 CVE-2013-0634 CVE-2013-2460 CVE-2013-2471 CVE-2013-2551

Sweet Orange

Sweet Orange Sweet Sweet Sweet Orange 1.? Orange 1.? Orange 1.1 1.0 CVE-2010-0188 CVE-2006-0003 CVE-2006-0003 CVE-2006-0003

CVE-2012-1723 CVE-2012-1723 CVE-2012-4681 CVE-2012-4681

CK (child of Netboom Exploiter) CVE-2011-3544

CK (child of Netboom Exploiter)

CK (child of Netboom Exploiter)

CVE-2011-0611 CVE-2010-0806 CVE- 2010-0806

CVE-2013-0422 CVE-2012-1535 CVE-2012-0003 CVE-2013-0634

Net Boom NB Exploiter

CVE-2011-2110

CVE-2012-1889 CVE-2012-0754 CVE-2011-2140

HiMan (High Load)

CVE-2010-0188 CVE-2013-0431

CVE-2013-2551 CVE-2013-2551

CVE-2012-1723

CVE-2013-0422

exploits

CVE-20130074/3896

from the previous version

Blackhole 2.x Blackhole 2.0 Blackhole 1.2.5 Blackhole 1.2.3 CVE-2006-0003 CVE-2006-0003 CVE-2006-0003 CVE-2006-0003

CVE-2012-4681 CVE-2012-4681 CVE-2010-0188 CVE-2010-0188 CVE-2012-5076 CVE-2012-5076 CVE-2010-1885 CVE-2010-0842

Exploits in ths pack - listing

CVE-2013-0422

CVE-2012-4792

CVE-2012-5076

CVE-2013-3897

CVE-2012-4681

* switch 2463*<>2465*

CVE-2013-0422

CVE-2011-0559 CVE-2010-1885

Exploits in ths pack - listing

CVE-2013-0634

CVE-2012-4969

CVE-2013-0431

* removed

CVE-2012-4969

Possibly + exploits

CVE-2013-0431

CVE-2011-2110 CVE-2011-0559

Exploits in ths pack - listing

CVE-2013-2465

CVE-2012-5076

CVE-2013-2423

from the previous

CVE-2011-3402

CVE-2012-1723 CVE-2011-3544

Exploits in ths pack - listing

CVE-2013-3897

CVE-2012-1889

Exploits in ths pack - listing

CVE-2013-0422 CVE-2013-0634

Exploits in ths pack - listing

CVE-2013-1493

version

5

3

Crime Boss 2013

Crime Boss 2012

?

Crimeboss

CVE- CVE-20112013- 3544 1488 and + CVE-2012all or 4681 some CVE-2013exploits 0422 from CVE-2013the 2423 previous version SOCIAL

5

3

10k/hour = 900$ / 3500$ mo - and more for higher traff

3-5K/mo

Grandsoft

Grandsoft

CVE-2011-3544 CVE-2010-0188 CVE-2010-0188

7

CVE-2006-0003

4

Sakura 1.0

4?

2+?

3?

3

2+?

4

3?

5

11

5+

19?

8

9?

7?

?

Cool

Cool

Cool

Styx 2.x 2013

Styx 2.0

Topic

CVE-2006-0003 CVE-2006-0003

Rawin

Flimkit

Cool EK (Kore-sh)

Sibhost Kore (formely (Urausy/BestAV Cool/Styxy Sibhost) EK)

CVE-2012-5076

CVE-2013-2460 CVE-2013-2423

CVE-2013-1347 cve-2013-2471

CVE-2013-1493 CVE-2013-2423

CVE-2013-2463 CVE-2013-2460

CVE-2013-1493

CVE-2011-3402* CVE-2011-3402 CVE-2012-1876

CVE-2010-0188 CVE-2010-0188 CVE-2011-3544 CVE-2011-3544

CVE-2013-1690

CVE-2013-2423 CVE-2013-2471

CVE-2013-2463

CVE-2013-2423

CVE-2013-0431

CVE-2012-1723 CVE-2013-0634

CVE-2011-3402 CVE-2011-3402 CVE-2012-0507 CVE-2012-0507

CVE-2011-3544 CVE-2011-3544

CVE-2013-2465

CVE-2013-1493

CVE-2013-0422 CVE-2013-2465

CVE-2012-0507 CVE-2012-0507 CVE-2012-1723 CVE-2012-1723

version

CVE-2013-2471

CVE-2013-2423

CVE-2010-0188 CVE-2012-0755

CVE-2007-5659 CVE-2006-0003 CVE-2006-0003 CVE-2007-5659 /2008-0655 /2008-0655

CVE-2012-1723 CVE-2013-2463 CVE-2012-0507 CVE-2012-1723

CVE-2010-0806 CVE-2010-0806 CVE-2010-0842 CVE-2010-0842

exploits from the previous

CVE-2012-4681 CVE-2012-5076

CVE-2010-0188

Styx 4.0

CVE-2013-2460

CVE-2013-2460

cve-2013-2471

Glazunov

and + all or some

CVE-2010-0188 CVE-2011-3544

4

5

6?

2?

5

G01pack

SPL Pack

Serenity Pack

13

4?

Alpha Pack

Impact

CVE-2013-1493 cve-2013-2471 CVE-2013-2423

and + all or some

CVE-2013-0422

CVE-2013-2460 exploits

CVE-2013-2423

CVE-2013-2463

from the previous

CVE-2013-2472 version

CVE-2012-1889 CVE-2012-0507

CVE-2013-2551

CVE-2012-4681

Social Eng

CVE-2012-0775 CVE-2012-0775 CVE-2012-4681 CVE-2012-4681 Unknown CVE CVE-2012-1723 CVE-2012-4969 CVE-2012-4969

CVE-20132423

Nice EK

CVE-2012-1723

KaiXin Nov '12

KaiXin Aug '12

8

7

3?

- $1,800 rent $400/wk $200rent

$150/wk $250/mo

LightsOut

CVE-2013-1493

CVE-2011-3544 CVE-2013-0422

?

1-2K /mo rent

CVE-2013-2423

CVE-2011-3544 CVE-2013-0422

CVE-2013-2463

7

Sakura 1.1

CVE-2013-1347

CVE-2012-4681 SOCIAL

CVE-2013-2423

9-

Sakura 1.x

$1100 / mo rent

Private EK

CritXPack

Whitehole

5

3 2-5K

Red Dot

Assoc AiD no (info from Private name Ad only)

CVE-2010CVE-2011-1255 CVE-2011-1255 CVE-2006-0003 CVE-2012-1723 CVE-2006-0003 CVE-2011-2140 CVE-2007-5659 CVE-2006-0003 CVE-2011-3544 CVE-2012-0507 CVE-2011/2008-0655 3106 0188 CVE-2012CVE-2011-3544 CVE-2011-3544 CVE-2009-0927 CVE-2013-0422 CVE-2010-0188 CVE-2006-0003 CVE-2010-0188 CVE-2010-0188 CVE-2012-1723 CVE-2012-5076 CVE-20121876 1723 CVE-2012CVE-2012-1723 CVE-2012-0507 CVE-2010-1423 CVE-2012-0507 CVE-2008-2992 CVE-2012-1723 CVE-2011-2110 CVE-2012-4681 CVE-2013-0422 CVE-20121880 4681 CVE-2012CVE-2012-1889 CVE-2012-0754 CVE-2010-1885 CVE-2012-4681 CVE-2009-0927 CVE-2012-5076 CVE-2011-3544 CVE-2012-5076 3683 CVE-2012-1723 CVE-2012-1723 CVE-2012-4969 CVE-2009-2477 CVE-2013-0422 CVE-2012-0507 CVE-2013-0422 Unknown CVE CVE-2012-1889 CVE-2013-0422 CVE-2010-0188 CVE-2012-1723 CVE-2013-1493

11

2

1-1.5K

1500

Phoenix 3.1.15

NucSoft

5

9

14

13

4

8

10

10

Zhi Zhu

Incognito v.2

Phoenix 3.1

Eleonore 1.8.91

"Yang Pack"

Techno XPack

Siberia Private

Hierarchy

CVE: 2010-0248 CVE-20100188 CVE-2010-0842 CVE-20120507 CVE-2011-2110

CVE-2010-0806 CVE-2004-0549

CVE-2006-0003 CVE-2006-0003 CVE-2010-0806 CVE-2008-2992 CVE-2005-0055 CVE-2006-0003

CVE-2011-1255 CVE-2007-5659 /2008-0655 CVE-2011-2110 CVE-2008-2992

CVE-2011-2140

CVE-2011-2140 CVE-2009-0927

CVE-2007-5659 CVE-2008-2463 CVE-2011-2110 CVE-2010-0188 CVE-2006-0003 CVE-2009-0927 /2008-0655 CVE-2008-2992 CVE-2010-0188 CVE-2011-2140 CVE-2010-0842 CVE-2007-5659 CVE-2010-0094 /2008-0655 CVE-2008-5353 CVE-2010-0806 CVE-2011-3544 CVE-2010-1297 CVE-2008-2463 CVE-2010-0188

CVE: 2011-2371 CVE-2011-3544

CVE-2012-0003 CVE-2009-4324 CVE-2010-0842

CVE-2009-0927 CVE-2010-0840 CVE-2009-3867 CVE-2010-1885

CVE-2012-1876 CVE-2012-1889 CVE-2013-0431 CVE-2013-0431

CVE-2010-0806

CVE-2012-4681 CVE-2013-2423

CVE-2011-3659

CVE-2010-0886

CVE-2009-4324 CVE-2010-4452

CVE-2010-2884 CVE-2008-2992 CVE-2010-0806 CVE-2010-3552 CVE-2009CVE-2010-0840 0075/0076 CVE-2010-3654 CVE-2009-0927 CVE-2010-1297

CVE-2012-1889 CVE-2012-4681 Social Eng

CVE-2010-0840

CVE-2012-4792

CVE-2012-0500

CVE-2010-1885

CVE-2010-0188 CVE-2011-0558

SOCIAL

CVE-2012-4681

CVE-2010-2883

CVE-2013-2423

CVE-2012-0507

CVE-2012-0507

CVE-2010-0840 CVE-2011-0559

CVE-2009-4324 CVE-2011-0611

CVE-2010-0886 CVE-2011-0611

CVE-2010-0806

CVE-2012-4792

CVE-2010-3552

CVE-2012-5076 CVE-2012-1876

CVE-2012-1723 CVE-2012-1889

CVE-2010-1240 CVE-2011-2462 CVE-2010-1297 CVE-2011-3521

CVE-2012-1889

CVE-2012-4681

CVE-2011-3544 CVE-2011-3544

CVE-2013-0422

Exploits in ths pack - listing

CVE-2013-0431 CVE-2013-0437 CVE-2013-1347 CVE-2013-1690

Exploits in ths pack - listing

Social Eng

Exploits in ths pack - listing

2009-0927

2009-4324

2011-0559

2012-1876

Exploits in ths pack - listing

Exploits in ths pack - listing

2008-2992

2012-3683

Exploits in ths pack - listing

Exploits in ths pack - listing

2008-2992

2009-0927

2012-5692

Exploits in ths pack - listing

Exploits in ths pack - listing

01-'12

2008-2463

2008-2992

2010-0806

2012-0003

2012-0507

2012-4969

Last Update date:

Exploits in ths pack - listing

Hierarchy

2006-0003

2012-1880

By Mila Jan 21, 2014

Exploits in ths pack - listing

01-'12

2006-0003 2007-5659 /2008-0655

SOCIAL

6

Exploits in ths pack - listing

Siberia Private

2012-0500

Notes

Product / type . < means that v. and Exploit Description (CLICK ON CELLS 2 SEE TEXT) below

01-'12

2011-3659

JAVA Memory Corruption Vulnerability

CVE-2013-5329 on Flash 11.9.900.117

Techno XPack

01-'12

2010-0188

2010-0842

2011-3402

2012-0003

2012-0507

JAVA < 7 Update 21, < 6 Update 45, and < 5.0 Update 45, and OpenJDK 7 - Incorrect IntegerComponentRaster size checks JAVA < SE 7 Update 21, < 6 Update 45, < 5.0 Update 45, and OpenJDK 7 Incorrect ShortBandedRaster size checks in 2D

CVE-2013-3918

"Yang Pack"

03-'12

2006-0003

2007-5659 /2008-0655

2011-3521

Self-Generated fake cert Social Eng

CVE-2013-3897

Eleonore 1.8.91

03-'12

2006-0003

Phoenix 3.1

2011-2462

JAVA The color mgmnt (CMM) functionality in the 2D - an outof-bounds read or memory corruption in the JVM

Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7 "insufficient access checks" in the tracing component. JAVA < Update 21 6 Update 45 and earlier, and< 5.0 Update 45, and OpenJDK 7 -Incorrect image attribute verification in 2D.

2010-0188

2010-1885

FF < 22.0, FF ESR 17.x before 17.0.7, TBird < 17.0.7, and TBird ESR 17.x< 17.0.7 do not properly handle onreadystatechange events with page reloading,

JAVA SE 7 Update 17 and earlier allows remote attackers to

-

2012

2007-5659 /2008-0655

2011-2371

2013-0634

-

Incognito v.2

2011-3106

2013-0422

-

02-'12

2008-2992

2011-2110

2011-3402

2012-1889

Java

Zhi Zhu

2012

2011-0611

IE Microsoft Internet Explorer 8 improper object handling in memory JAVA via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager

Java < Java7u17 affect integrity via unknown vectors related to HotSpot.

NucSoft

05-'12

2011-0558

2013-0634

Java < 7u15 6u41 FF < 22, Tbird < 17.0.7

Phoenix 3.1.15

2006-0003

2010-4452

2013-0422

IE 8 Java <7u17, 6, 7

Java < 7u21 6u45 Java < 7u21 6u45 Java < 7u21 6u45 Java < 7u21 6u45 Java < 7u21 6u45

11-'12

2010-0806

2010-1885

SOCIAL

2011-0559 2011-0611

2011-2110

JAVA: abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox JAVA Unspecified vulnerability in the Java Runtime Environment (JRE) via unknown vectors related to 2D.

Java 7u11

SWF<10.3.183.51 FLASH Buffer overflow in Adobe Flash Player via crafted SWF content, as exploited in the wild in February 2013. (win)

Social Fake Cert

Impact

2007-5659 /2008-0655

2011-1255

2012-1889

< Java 7u11 Java 7u11

CVE-2013-1347 IE UAF CVE-2013-1488

the newer kits/versions

Neutrino

10-'13

2011-0611

JAVA: JMB/MBEAN and Reflection API allow a crafted applet to bypass SecurityManager restrictions 2013-0422 2013-0422 2013-0422

WIN XP-7, Srv2003-2008

CVE-2013-0437

Legend:

HiMan (High Load)

2010-2011

2010-3654

JAVA Arbitrary Code Execution

CVE-2013-0634

Grey Column Old(er) kit [versions] for header Text in reference and comparison with Italic

2010-0188

PHP vuln. in admin/sources/base/core.php in Invision Power Board IPB or IP.Board) 3.1.x- 3.3.x JAVA The JavaScript implementation in Adobe Reader and Acrobat 9.x < 9.5.1 and 10.x < 10.1.3 - (memory corruption) IE aka "Col Element Remote Code Execution Vulnerability," by VUPEN - Pwn2Own competition at CanSecWest 2012. WIN: - Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 memory corruption via a crafted web site.

CVE-2013-0422

slang/shorthand (CLICK ON CELLS 2 SEE TEXT)

2010-0188

<Java 7u8

CVE-2013-0431

CVE

2010-0188

IP.Board) 3.1.x through 3.3.x PDF < 9.51 and < 10.1.3 IE 6-9, 10

w Click2play bypass

Net Boom NB Exploiter

04-'12

2010-3962

IE Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll

CVE-20132551 CVE-20130074/3896

CK (child of Netboom Exploiter)

03-'13

2010-2884

JAVA _crafted applet that bypasses SecurityManager restrictions

CVE-2013-2472

CK (child of Netboom Exploiter)

11-'13

2010-3552

Use-after-free vulnerability,inCDwnBindInfo object, and exploited in the wild in December 2012.

Java Type

CK (child of Netboom Exploiter)

2010-2883

IE 6-9

Java Raster

05-'12

2006-0003

2010-0248

<Java 7u6

w click2play bypass

09-'12

2006-0003

2010-1885

IE 6-8

w click2play bypass

09-'12

2006-0003

2010-1297

CVE-2012-4969 IE 6-9

CVE-2013-2465

03-'13

2010-1423

CVE-2012-4681 Java Gondvv / Gondzz

CVE-2013-2471

Sweet Sweet Sweet Orange Sweet Orange Orange 1.? Orange 1.1 1.0

2010-0094

CVE-2012-4792 IE 6-8

CVE-2013-2463

11-'13

SWF<10.3.183.15, FLASH Player allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. 11.1.102.62 PDF < 10.1.3, < ADOBE PDF JavaScript implementation allows arbitrary code execution 9.5.1 SWF<10.3.183.19, ADOBE FLASH (via IE?)- object type confusion 11.2.202.235 SWF<10.3.183.23, Claims to have some private flash exploit 11.4.402.265 SWF < Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux -SWF content in a Word document. 11.3.300.271

CVE-2012-3683 Safari Webkit

CVE-2013-2460

Sweet Orange

02-'13

2010-1240

IE _ insertRow Remote Code Execution Vulnerability

CVE-2013-1690

Popads

11-'13

2010-0886

IE 6-9

CVE-2013-2423

Magnitude / Death Touch (formerly known as Popads)

11-'13

2010-0840

CVE-2012-1880 IE InsertRow

CVE-2013-1493 Java CMM

White Lotus

04-'13

2010-0842

JAVA Remote Code Execution

XML

Safe Pack

12-'13

2010-0806

IE _ from VUPEN's Pwn2Own demo at CanSecWest 2012. Col Element Remote Code Execution Vulnerability

2012-1889

FlashPack (child of SafePack / CritXPack/ Vintage Pack)

12-'13

2009-4324 2010-0188

Java 6u32, 7u4

CVE-2012-0775 PDF 9. 10

Angler

12-'13

20090075/0076

IE 6-10

CVE-2012-1876 IE 6-9, 10

DotkaChef

09-'12

2009-3867

CVE-2012-1723 Java Byte / verifier

CVE-2012-5076 JAX-WS

Neo Sploit

01-'14

2008-5353

CVE-2012-1876 IE 6-10

CVE-2012-5692

Fiesta (formerly Neosploit)

2008-2463

FIREFOX 8/9_ AttributeChildRemoved() Use-After-Free.

MS MEDIA PLAYER _vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) JAVA _Sun Java Web Start Plugin Command Line Argument Injection (2012)

Unknown CVE

08-'13

2009-2477

FIREFOX Bootstrapped Addon Social Engineering Code Execution

Java 6u30, 7u2

CVE-2012-1535 Flash SWF in Word

x2o (Redkit Light)

before 04-'13

JAVA _Vulnerability in the Rhino Script Engine

Java 6u30, 7u2

CVE-2012-0779 Flash

Redkit

05-'13

2005-0055

FF <3.6.26 ,4.9

WMP MIDI

CVE-2012-0754 MP4 Overflow

Redkit

11-'13

2004-0549

FF < 4

CVE-2012-0507 Java Atomic

CVE-2012-0775

Goon (found to be Redkit 2.1)

12-'13

WIN XP-2008 via WINDOWS XP, 2003, 2008 TrueType Font Parsing Vulnerability IE

CVE-2012-0500 Web Start Plugin

CVE-2012-0003

Redkit 2.x

03-'13

ADOBE FLASH _ Flash memory corruption August-2011 MP4 SequenceParameterSetNALUnit Buffer Overflow

FF < 4.0.1

CVE-2011-2462 PDF U3D

CVE-2011-3402

Gong Da / GonDad

12-'13

PDF Exploit Adobe Reader Stack-based buffer overflow in CoolType.dll

PDF < 9.4

Java < 6u21

CVE-2011-2140 MP4 sequence

Gong Da / GonDad

03-'12

MS HCP _ Help Center URL Validation Vulnerability

CVE-2010-2884 authplay.dll

CVE-2011-0559 Flash 10 by exm

Nuclear 2.0

03-'12

IE MS10-002 Internet Explorer Object Memory Use-After-Free

CVE-2010-3552 JAVA SKYLINE / docbase

CVE-2011-0611 Flash 10

Nuclear 2.1

03-'12

Java Deployment Toolkit Remote Argument Injection Vulnerability (Taviso)

IE Object Memory Use-AfterIE 6, 7, 8 Free

CVE-2011-0558 Flash <10.2

Nuclear 2.2

11-'13

Java < 6u18

PDF < 9.3.3

CVE-2010-2883 PDF FONT / Cooltype

Nuclear 3.x

01-'14

Java < 6u18

CVE-2010-0886 JAVA SMB / JAVA JDT CVE-2010-1240 PDFOPEN

CVE: 20100248

Nuclear 3.x

CVE-2012-0779

CVE-2012-0507

CVE-2009-3867 CVE-2010-1885

PDF_Document rule MSOfficeSnapshotViewer { meta: ref = "CVE-2008-2463" impact = 7 strings: $cve20082463 = /(F0E42D50|F0E42D60|F2175210)-368C-11D0-AD81-00A0C90DC8D9/ nocase condition: 1 of them }

rule cf_pdf_cve_2007_5659 (pdf_Document) { meta: maltype = "all" filetype = "pdf" yaraexchange = "No distribution without author's consent" author = "Michael Remen" source = "Yara Exchange" date = "2012-08" version = "1.0" cve = "CVE-2007-5659" strings: $a = {255044462d} $b = {7961727073} $c = {6570616373656e75} $d = {6e6f6974636e7566} $e = {7961727241} condition: all of them }

rule ShellcodePattern { meta: impact = 1 //while testing hide = true strings: $unescape = "unescape" fullword nocase $shellcode = /%u[A-Fa-f0-9]{4}/ $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/ condition: ($unescape and $shellcode) or $shellcode5 }

rule Utilprintf: decodedPDF { meta: ref = "CVE-2008-2992" hide = true strings: $cve20082992 = "util.printf" nocase fullword condition: 1 of them } rule cf_java_execute_write { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" ref = "http://docs.oracle.com" maltype = "all" filetype = "jar" yaraexchange = "No distribution without author's consent" date = "2012-09" strings: $magic = { CA FE BA BE } /* Local execution */ $exec0 = "Runtime.getRuntime" $exec1 = "exec" /* Exploit */ $exp0 = /arrayOf(Byte|String)/ $exp1 = "toByteArray" $exp2 = "HexDecode" $exp3 = "StringtoBytes" $exp6 = "InputStream" $exp7 = "Exception.printStackTrace" $fwrite0 = "FileOutputStream" /*contains a byte stream with the serialized representation of an object given to its constructor*/ $fwrite3 = "MarshalledObject" $fwrite4 = "writeObject" $fwrite5 = "OutputStreamWriter" /* Loader indicators */ $load0 = "getResourceAsStream" $load1 = /l(port|host)/ $load2 = "ObjectInputStream" $load3 = "ArrayOfByte" //$gen1 = "file://" condition: $magic at 0 and ((all of ($exec*) and 2 of ($fwrite*)) or (2 of ($exp*) and 2 of ($load*))) }

rule DecodedGenericCLSID : decodedOnly { meta: impact = 0 strings: $a = "02d55ba8-adf8-4a31-a685-f2f8e1e9e63d" $b = "9af45c85-b20b-4f64-8ecb-78eafca2fc53" condition: all of them }

rule cf_pdf_suspicious_obfuscation : pdf { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" weight = 2 maltype = "all" filetype = "pdf" yaraexchange = "No distribution without author's consent" strings: $magic = { 25 50 44 46 } $reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/ condition: $magic at 0 and #reg > 5 }

rule collectEmailInfo: decodedPDF { meta: ref = "CVE-2007-5659" hide = true strings: $cve20075659 = "collab.collectEmailInfo" nocase fullword condition: 1 of them }

rule DecodedGenericCLSID : decodedOnly { meta: impact = 0 strings: $a = "56bfcce4-6106-4bb0-be9c-12181cab7f4b" nocase $b = "e61eea32-6d31-4dc4-9842-b7f83d9edb5f" nocase condition: 1 of them }

rule cf_pdf_suspicious_obfuscation : pdf { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" weight = 2 maltype = "all" filetype = "pdf" yaraexchange = "No distribution without author's consent" strings: $magic = { 25 50 44 46 } $reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/ condition: $magic at 0 and #reg > 5 }

*vmdetect 000569 $vmware_mac_1c

rule CollabgetIcon: decodedPDF { meta: ref = "CVE-2009-0927" hide = true strings: $cve20090927 = "collab.getIcon" nocase fullword condition: 1 of them }

rule ShellcodePattern { meta: impact = 1 //while testing hide = true strings: $unescape = "unescape" fullword nocase $shellcode = /%u[A-Fa-f0-9]{4}/ $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/ condition: ($unescape and $shellcode) or $shellcode5 }

rule PDFobfuscation: decodedPDF { meta: impact = 5 strings: $cveNOMATCH = "collab[" nocase condition: 1 of them }

rule ShellcodePattern { meta: impact = 1 //while testing hide = true strings: $unescape = "unescape" fullword nocase $shellcode = /%u[A-Fa-f0-9]{4}/ $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/ condition: ($unescape and $shellcode) or $shellcode5 }

rule PDFobfuscation: decodedPDF { meta: impact = 5 strings: $cveNOMATCH = "collab[" nocase condition: 1 of them }

//hidden collab string

rule DecodedGenericCLSID : decodedOnly { meta: impact = 0 strings: $a = "D27CDB6E-AE6D-11cf-96B8-444553540000" nocase condition: 1 of them }

rule Utilprintf: decodedPDF { meta: ref = "CVE-2008-2992" hide = true strings: $cve20082992 = "util.printf" nocase fullword condition: 1 of them } rule DecodedIframe: decodedOnly { meta: impact = 0 hide = true strings: $iframe = "<iframe" nocase fullword

//possible in the future, if alerts are too common: //style\s*=["'\s\\]*([a-z0-9:\s]+;\s*)?(display\s*:\s*none|visibility\s*:\s*hidden) //(width|height)\s*=["'\s\\]*[01]["'\s\\>] //style=['"]display:none['"]>\s*<iframe //src\s*=\s*['"\s\\]*(&#\d+){10} //advertisers use DecodedIframe all the time //maybe domain name whitelisting? condition: 1 of them }

rule dyndns_d_la { strings: $a = "d.la" condition: $a }

rule dyndns_sytes_net { strings: $a = "sytes.net" condition: $a }

//hidden collab string

rule GEN_XOR_256bit_This_program_cannot_decremented { meta: author = "villys777@gmail.com" source = "Yara Exchange" date = "2012-08" version = "2.0" description = "encoded with decremented xor key executable" string = "This program cannot be run" byte_encode = true

rule mediaNewplayer: decodedPDF { meta: ref = "CVE-2009-4324" hide = true strings: $cve20094324 = "media.newPlayer" nocase fullword condition: 1 of them }

strings: $a1 = { 55 68 96 8d dd 8c 89 95 9e 8a 96 9b d5 97 92 9c 9f 9f 9b ce 8f 89 cb 98 9c 86} $a2 = { 56 69 69 8c de 8d 8e 94 9d 8b 99 9a d6 96 95 9d 9c 9e 84 cf 8c 88 cc 99 9f 87} $a3 = { 57 6a 68 73 df 8e 8f 93 9c 88 98 95 d7 95 94 9a 9d 9d 85 d0 8d 8b cd 9e 9e 84} $a4 = { 50 6b 6b 72 20 8f 8c 92 9b 89 9b 94 d8 94 97 9b 9a 9c 86 d1 92 8a ce 9f 99 85} $a5 = { 51 6c 6a 71 21 70 8d 91 9a 8e 9a 97 d9 9b 96 98 9b 9b 87 d2 93 95 cf 9c 98 82} $a6 = { 52 6d 6d 70 22 71 72 90 99 8f 9d 96 da 9a 99 99 98 9a 80 d3 90 94 d0 9d 9b 83} $a7 = { 53 6e 6c 77 23 72 73 6f 98 8c 9c 91 db 99 98 96 99 99 81 d4 91 97 d1 82 9a 80} $a8 = { 5c 6f 6f 76 24 73 70 6e 67 8d 9f 90 dc 98 9b 97 96 98 82 d5 96 96 d2 83 85 81} $a9 = { 5d 60 6e 75 25 74 71 6d 66 72 9e 93 dd 9f 9a 94 97 97 83 d6 97 91 d3 80 84 9e} $a10 = { 5e 61 61 74 26 75 76 6c 65 73 61 92 de 9e 9d 95 94 96 8c d7 94 90 d4 81 87 9f} $a11 = { 5f 62 60 7b 27 76 77 6b 64 70 60 6d df 9d 9c 92 95 95 8d d8 95 93 d5 86 86 9c} $a12 = { 58 63 63 7a 28 77 74 6a 63 71 63 6c 20 9c 9f 93 92 94 8e d9 9a 92 d6 87 81 9d} $a13 = { 59 64 62 79 29 78 75 69 62 76 62 6f 21 63 9e 90 93 93 8f da 9b 9d d7 84 80 9a} $a14 = { 5a 65 65 78 2a 79 7a 68 61 77 65 6e 22 62 61 91 90 92 88 db 98 9c d8 85 83 9b} $a15 = { 5b 66 64 7f 2b 7a 7b 67 60 74 64 69 23 61 60 6e 91 91 89 dc 99 9f d9 8a 82 98} $a16 = { 44 67 67 7e 2c 7b 78 66 6f 75 67 68 24 60 63 6f 6e 90 8a dd 9e 9e da 8b 8d 99} $a17 = { 45 78 66 7d 2d 7c 79 65 6e 7a 66 6b 25 67 62 6c 6f 6f 8b de 9f 99 db 88 8c 96} $a18 = { 46 79 79 7c 2e 7d 7e 64 6d 7b 69 6a 26 66 65 6d 6c 6e 74 df 9c 98 dc 89 8f 97} $a19 = { 47 7a 78 63 2f 7e 7f 63 6c 78 68 65 27 65 64 6a 6d 6d 75 20 9d 9b dd 8e 8e 94} $a20 = { 40 7b 7b 62 30 7f 7c 62 6b 79 6b 64 28 64 67 6b 6a 6c 76 21 62 9a de 8f 89 95} $a21 = { 41 7c 7a 61 31 60 7d 61 6a 7e 6a 67 29 6b 66 68 6b 6b 77 22 63 65 df 8c 88 92} $a22 = { 42 7d 7d 60 32 61 62 60 69 7f 6d 66 2a 6a 69 69 68 6a 70 23 60 64 20 8d 8b 93} $a23 = { 43 7e 7c 67 33 62 63 7f 68 7c 6c 61 2b 69 68 66 69 69 71 24 61 67 21 72 8a 90} $a24 = { 4c 7f 7f 66 34 63 60 7e 77 7d 6f 60 2c 68 6b 67 66 68 72 25 66 66 22 73 75 91} $a25 = { 4d 70 7e 65 35 64 61 7d 76 62 6e 63 2d 6f 6a 64 67 67 73 26 67 61 23 70 74 6e} $a26 = { 4e 71 71 64 36 65 66 7c 75 63 71 62 2e 6e 6d 65 64 66 7c 27 64 60 24 71 77 6f} $a27 = { 4f 72 70 6b 37 66 67 7b 74 60 70 7d 2f 6d 6c 62 65 65 7d 28 65 63 25 76 76 6c} $a28 = { 48 73 73 6a 38 67 64 7a 73 61 73 7c 30 6c 6f 63 62 64 7e 29 6a 62 26 77 71 6d} $a29 = { 49 74 72 69 39 68 65 79 72 66 72 7f 31 73 6e 60 63 63 7f 2a 6b 6d 27 74 70 6a} $a30 = { 4a 75 75 68 3a 69 6a 78 71 67 75 7e 32 72 71 61 60 62 78 2b 68 6c 28 75 73 6b} $a31 = { 4b 76 74 6f 3b 6a 6b 77 70 64 74 79 33 71 70 7e 61 61 79 2c 69 6f 29 7a 72 68} $a32 = { 74 77 77 6e 3c 6b 68 76 7f 65 77 78 34 70 73 7f 7e 60 7a 2d 6e 6e 2a 7b 7d 69} $a33 = { 75 48 76 6d 3d 6c 69 75 7e 6a 76 7b 35 77 72 7c 7f 7f 7b 2e 6f 69 2b 78 7c 66} $a34 = { 76 49 49 6c 3e 6d 6e 74 7d 6b 79 7a 36 76 75 7d 7c 7e 64 2f 6c 68 2c 79 7f 67} $a35 = { 77 4a 48 53 3f 6e 6f 73 7c 68 78 75 37 75 74 7a 7d 7d 65 30 6d 6b 2d 7e 7e 64} $a36 = { 70 4b 4b 52 00 6f 6c 72 7b 69 7b 74 38 74 77 7b 7a 7c 66 31 72 6a 2e 7f 79 65} $a37 = { 71 4c 4a 51 01 50 6d 71 7a 6e 7a 77 39 7b 76 78 7b 7b 67 32 73 75 2f 7c 78 62} $a38 = { 72 4d 4d 50 02 51 52 70 79 6f 7d 76 3a 7a 79 79 78 7a 60 33 70 74 30 7d 7b 63} $a39 = { 73 4e 4c 57 03 52 53 4f 78 6c 7c 71 3b 79 78 76 79 79 61 34 71 77 31 62 7a 60} $a40 = { 7c 4f 4f 56 04 53 50 4e 47 6d 7f 70 3c 78 7b 77 76 78 62 35 76 76 32 63 65 61} $a41 = { 7d 40 4e 55 05 54 51 4d 46 52 7e 73 3d 7f 7a 74 77 77 63 36 77 71 33 60 64 7e} $a42 = { 7e 41 41 54 06 55 56 4c 45 53 41 72 3e 7e 7d 75 74 76 6c 37 74 70 34 61 67 7f} $a43 = { 7f 42 40 5b 07 56 57 4b 44 50 40 4d 3f 7d 7c 72 75 75 6d 38 75 73 35 66 66 7c} $a44 = { 78 43 43 5a 08 57 54 4a 43 51 43 4c 00 7c 7f 73 72 74 6e 39 7a 72 36 67 61 7d} $a45 = { 79 44 42 59 09 58 55 49 42 56 42 4f 01 43 7e 70 73 73 6f 3a 7b 7d 37 64 60 7a} $a46 = { 7a 45 45 58 0a 59 5a 48 41 57 45 4e 02 42 41 71 70 72 68 3b 78 7c 38 65 63 7b} $a47 = { 7b 46 44 5f 0b 5a 5b 47 40 54 44 49 03 41 40 4e 71 71 69 3c 79 7f 39 6a 62 78} $a48 = { 64 47 47 5e 0c 5b 58 46 4f 55 47 48 04 40 43 4f 4e 70 6a 3d 7e 7e 3a 6b 6d 79} $a49 = { 65 58 46 5d 0d 5c 59 45 4e 5a 46 4b 05 47 42 4c 4f 4f 6b 3e 7f 79 3b 68 6c 76} $a50 = { 66 59 59 5c 0e 5d 5e 44 4d 5b 49 4a 06 46 45 4d 4c 4e 54 3f 7c 78 3c 69 6f 77} $a51 = { 67 5a 58 43 0f 5e 5f 43 4c 58 48 45 07 45 44 4a 4d 4d 55 00 7d 7b 3d 6e 6e 74} $a52 = { 60 5b 5b 42 10 5f 5c 42 4b 59 4b 44 08 44 47 4b 4a 4c 56 01 42 7a 3e 6f 69 75} $a53 = { 61 5c 5a 41 11 40 5d 41 4a 5e 4a 47 09 4b 46 48 4b 4b 57 02 43 45 3f 6c 68 72} $a54 = { 62 5d 5d 40 12 41 42 40 49 5f 4d 46 0a 4a 49 49 48 4a 50 03 40 44 00 6d 6b 73} $a55 = { 63 5e 5c 47 13 42 43 5f 48 5c 4c 41 0b 49 48 46 49 49 51 04 41 47 01 52 6a 70} $a56 = { 6c 5f 5f 46 14 43 40 5e 57 5d 4f 40 0c 48 4b 47 46 48 52 05 46 46 02 53 55 71} $a57 = { 6d 50 5e 45 15 44 41 5d 56 42 4e 43 0d 4f 4a 44 47 47 53 06 47 41 03 50 54 4e} $a58 = { 6e 51 51 44 16 45 46 5c 55 43 51 42 0e 4e 4d 45 44 46 5c 07 44 40 04 51 57 4f} $a59 = { 6f 52 50 4b 17 46 47 5b 54 40 50 5d 0f 4d 4c 42 45 45 5d 08 45 43 05 56 56 4c} $a60 = { 68 53 53 4a 18 47 44 5a 53 41 53 5c 10 4c 4f 43 42 44 5e 09 4a 42 06 57 51 4d} $a61 = { 69 54 52 49 19 48 45 59 52 46 52 5f 11 53 4e 40 43 43 5f 0a 4b 4d 07 54 50 4a} $a62 = { 6a 55 55 48 1a 49 4a 58 51 47 55 5e 12 52 51 41 40 42 58 0b 48 4c 08 55 53 4b} $a63 = { 6b 56 54 4f 1b 4a 4b 57 50 44 54 59 13 51 50 5e 41 41 59 0c 49 4f 09 5a 52 48} $a64 = { 14 57 57 4e 1c 4b 48 56 5f 45 57 58 14 50 53 5f 5e 40 5a 0d 4e 4e 0a 5b 5d 49} $a65 = { 15 28 56 4d 1d 4c 49 55 5e 4a 56 5b 15 57 52 5c 5f 5f 5b 0e 4f 49 0b 58 5c 46} $a66 = { 16 29 29 4c 1e 4d 4e 54 5d 4b 59 5a 16 56 55 5d 5c 5e 44 0f 4c 48 0c 59 5f 47} $a67 = { 17 2a 28 33 1f 4e 4f 53 5c 48 58 55 17 55 54 5a 5d 5d 45 10 4d 4b 0d 5e 5e 44} $a68 = { 10 2b 2b 32 60 4f 4c 52 5b 49 5b 54 18 54 57 5b 5a 5c 46 11 52 4a 0e 5f 59 45} $a69 = { 11 2c 2a 31 61 30 4d 51 5a 4e 5a 57 19 5b 56 58 5b 5b 47 12 53 55 0f 5c 58 42} $a70 = { 12 2d 2d 30 62 31 32 50 59 4f 5d 56 1a 5a 59 59 58 5a 40 13 50 54 10 5d 5b 43} $a71 = { 13 2e 2c 37 63 32 33 2f 58 4c 5c 51 1b 59 58 56 59 59 41 14 51 57 11 42 5a 40} $a72 = { 1c 2f 2f 36 64 33 30 2e 27 4d 5f 50 1c 58 5b 57 56 58 42 15 56 56 12 43 45 41} $a73 = { 1d 20 2e 35 65 34 31 2d 26 32 5e 53 1d 5f 5a 54 57 57 43 16 57 51 13 40 44 5e} $a74 = { 1e 21 21 34 66 35 36 2c 25 33 21 52 1e 5e 5d 55 54 56 4c 17 54 50 14 41 47 5f} $a75 = { 1f 22 20 3b 67 36 37 2b 24 30 20 2d 1f 5d 5c 52 55 55 4d 18 55 53 15 46 46 5c} $a76 = { 18 23 23 3a 68 37 34 2a 23 31 23 2c 60 5c 5f 53 52 54 4e 19 5a 52 16 47 41 5d} $a77 = { 19 24 22 39 69 38 35 29 22 36 22 2f 61 23 5e 50 53 53 4f 1a 5b 5d 17 44 40 5a} $a78 = { 1a 25 25 38 6a 39 3a 28 21 37 25 2e 62 22 21 51 50 52 48 1b 58 5c 18 45 43 5b} $a79 = { 1b 26 24 3f 6b 3a 3b 27 20 34 24 29 63 21 20 2e 51 51 49 1c 59 5f 19 4a 42 58} $a80 = { 04 27 27 3e 6c 3b 38 26 2f 35 27 28 64 20 23 2f 2e 50 4a 1d 5e 5e 1a 4b 4d 59} $a81 = { 05 38 26 3d 6d 3c 39 25 2e 3a 26 2b 65 27 22 2c 2f 2f 4b 1e 5f 59 1b 48 4c 56} $a82 = { 06 39 39 3c 6e 3d 3e 24 2d 3b 29 2a 66 26 25 2d 2c 2e 34 1f 5c 58 1c 49 4f 57} $a83 = { 07 3a 38 23 6f 3e 3f 23 2c 38 28 25 67 25 24 2a 2d 2d 35 60 5d 5b 1d 4e 4e 54} $a84 = { 00 3b 3b 22 70 3f 3c 22 2b 39 2b 24 68 24 27 2b 2a 2c 36 61 22 5a 1e 4f 49 55} $a85 = { 01 3c 3a 21 71 20 3d 21 2a 3e 2a 27 69 2b 26 28 2b 2b 37 62 23 25 1f 4c 48 52} $a86 = { 02 3d 3d 20 72 21 22 20 29 3f 2d 26 6a 2a 29 29 28 2a 30 63 20 24 60 4d 4b 53} $a87 = { 03 3e 3c 27 73 22 23 3f 28 3c 2c 21 6b 29 28 26 29 29 31 64 21 27 61 32 4a 50} $a88 = { 0c 3f 3f 26 74 23 20 3e 37 3d 2f 20 6c 28 2b 27 26 28 32 65 26 26 62 33 35 51} $a89 = { 0d 30 3e 25 75 24 21 3d 36 22 2e 23 6d 2f 2a 24 27 27 33 66 27 21 63 30 34 2e} $a90 = { 0e 31 31 24 76 25 26 3c 35 23 31 22 6e 2e 2d 25 24 26 3c 67 24 20 64 31 37 2f} $a91 = { 0f 32 30 2b 77 26 27 3b 34 20 30 3d 6f 2d 2c 22 25 25 3d 68 25 23 65 36 36 2c} $a92 = { 08 33 33 2a 78 27 24 3a 33 21 33 3c 70 2c 2f 23 22 24 3e 69 2a 22 66 37 31 2d} $a93 = { 09 34 32 29 79 28 25 39 32 26 32 3f 71 33 2e 20 23 23 3f 6a 2b 2d 67 34 30 2a} $a94 = { 0a 35 35 28 7a 29 2a 38 31 27 35 3e 72 32 31 21 20 22 38 6b 28 2c 68 35 33 2b} $a95 = { 0b 36 34 2f 7b 2a 2b 37 30 24 34 39 73 31 30 3e 21 21 39 6c 29 2f 69 3a 32 28} $a96 = { 34 37 37 2e 7c 2b 28 36 3f 25 37 38 74 30 33 3f 3e 20 3a 6d 2e 2e 6a 3b 3d 29} XOR_embeded_exefile_xored_with_round_256_bytes_key $a97 = { 35 08 36 2d 7d 2c 29 35 3e 2a 36 3b 75 37 32 3c 3f 3frule 3b 6e 2f 29 6b 38 3c 26} //Yara Distribution and sharing prohibited without author's $a98 = { 36 09 09 2c 7e 2d 2e 34 3d 2b 39 3a 76 36 35 3d 3c 3e 24 6fExchange: 2c 28 6c 39 3f 27} $a99 = { 37 0a 08 13 7f 2e 2f 33 3c 28 38 35 77 35 34 3a 3d 3dconsent. 25 70 2dContact: 2b 6d 3eyara@deependresearch.org 3e 24} { 26 71 32 2a 6e 3f 39 25} $a100 = { 30 0b 0b 12 40 2f 2c 32 3b 29 3b 34 78 34 37 3b 3a 3c $a101 = { 31 0c 0a 11 41 10 2d 31 3a 2e 3a 37 79 3b 36 38 3b meta: 3b 27 72 33 35 6f 3c 38 22} author = "villys777@gmail.com" $a102 = { 32 0d 0d 10 42 11 12 30 39 2f 3d 36 7a 3a 39 39 38 3a 20 73 30 34 70 3d 3b 23} description encoded with increment or decremented $a103 = { 33 0e 0c 17 43 12 13 0f 38 2c 3c 31 7b 39 38 36 39 39 21 74 31 =37"executable 71 22 3a 20} $a104 = { 3c 0f 0f 16 44 13 10 0e 07 2d 3f 30 7c 38 3b 37 36 38one 22 byte 75 36xor 36key" 72 23 25 21} decription = 31 "extension $a105 = { 3d 00 0e 15 45 14 11 0d 06 12 3e 33 7d 3f 3a 34 37 37 23 76 37 73 20 24PDF,XLS,DOC,PPT" 3e} = "Yara $a106 = { 3e 01 01 14 46 15 16 0c 05 13 01 32 7e 3e 3d 35 34 source 36 2c 77 34 30 Exchange" 74 21 27 3f} date = "2012-07" $a107 = { 3f 02 00 1b 47 16 17 0b 04 10 00 0d 7f 3d 3c 32 35 35 2d 78 35 33 75 26 26 3c} byte_encode true27 21 3d} $a108 = { 38 03 03 1a 48 17 14 0a 03 11 03 0c 40 3c 3f 33 32 34 2e 79 3a 32= 76 strings: $a109 = { 39 04 02 19 49 18 15 09 02 16 02 0f 41 03 3e 30 33 33 2f 7a 3b 3d 77 24 20 3a} = 7b {0038 013c 0278 0325 0423 053b} 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 $a110 = { 3a 05 05 18 4a 19 1a 08 01 17 05 0e 42 02 01 31 30 $inc 32 28 14 29 15 7c 16 39 17 3f 1879 192a 1a22 1b38} 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 $a111 = { 3b 06 04 1f 4b 1a 1b 07 00 14 04 09 43 01 00 0e 31 31 2a2a 2b7d 2c3e 2d3e 2e7a 2f 2b 30 2d 31 39} 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 $a112 = { 24 07 07 1e 4c 1b 18 06 0f 15 07 08 44 00 03 0f 0e 30 412b 427e 433f44 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 $a113 = { 25 18 06 1d 4d 1c 19 05 0e 1a 06 0b 45 07 02 0c 0f 0f 3945 7b46 2847 2c48 36} 5a38 5b7c 5c29 5d2f 5e37} 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c $a114 = { 26 19 19 1c 4e 1d 1e 04 0d 1b 09 0a 46 06 05 0d 0c 57 0e 58 14 59 7f 3c 6d15 6e40 6f 3d 70 3b 71 7d 72 2e 73 2e 74 34} 75 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 $a115 = { 27 1a 18 03 4f 1e 1f 03 0c 18 08 05 47 05 04 0a 0d 0d 84 16 85 41 86 02 87 3a 88 7e 89 2f 8a29 8b35} 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 $a116 = { 20 1b 1b 02 50 1f 1c 02 0b 19 0b 04 48 04 07 0b 0a 0c $a117 = { 21 1c 1a 01 51 00 1d 01 0a 1e 0a 07 49 0b 06 08 0b 9a 0b 9b 17 9c 42 9d 03 9e 05 9f 7f a0 2c a1 28 a2 32}a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 $a118 = { 22 1d 1d 00 52 01 02 00 09 1f 0d 06 4a 0a 09 09 08 0a 10 43 00 04 40 2d 2b 33} c8 11 c9 44 ca 01 cb 07 cc cd d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de $a119 = { 23 1e 1c 07 53 02 03 1f 08 1c 0c 01 4b 09 08 06 09 09 41 ce 12 cf 2ad0 30} e045 e106 e206 e342 e413 e515 e631} e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 $a120 = { 2c 1f 1f 06 54 03 00 1e 17 1d 0f 00 4c 08 0b 07 06 08df12 f7 f8 fb 01 fc fd ff 14 00 0e} 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e $a121 = { 2d 10 1e 05 55 04 01 1d 16 02 0e 03 4d 0f 0a 04 07 07 13f946fa07 43fe10 $a122 = { 2e 11 11 04 56 05 06 1c 15 03 11 02 4e 0e 0d 05 04 0f 0610 1c11 4712 0413 0014 4415 1116 1717} 0f} $dec = {17 $a123 = { 2f 12 10 0b 57 06 07 1b 14 00 10 1d 4f 0d 0c 02 05 05 1d 48 05 16 03 15 45 14 16 13 16 12 0c}11 10 0f 0e 0d 0c 0b 0a 09 08 07 06 05 04 03 1e 02 49 01 0a 00 02 ff fe fc 11 fb fa $a124 = { 28 13 13 0a 58 07 04 1a 13 01 13 1c 50 0c 0f 03 02 04 46fd17 0d}f9 f8 f7 f6 f5 f4 f3 f2 f1 f0 ef ee ed ec eb ea e9 1f e84a e70b e60d e547 e414 e310 e20a} e1 e0 df de dd dc db da d9 d8 d7 d6 d5 d4 $a125 = { 29 14 12 09 59 08 05 19 12 06 12 1f 51 13 0e 00 03 03 ca c9 c8 c7 c6 c5 c4 c3 c2 c1 c0 bf be bd $a126 = { 2a 15 15 08 5a 09 0a 18 11 07 15 1e 52 12 11 01 00 d3 02 d2 18 d1 4b d0 08 cf 0cce 48cd 15cc13cb0b} bc bb ba b9 b8 b7 b6 b5 b4 b3 b2 b1 b0 af ae ad ac ab aa a9 a8 a7 $a127 = { 2b 16 14 0f 5b 0a 0b 17 10 04 14 19 53 11 10 1e 01 01 19 4c 09 0f 49 1a 12 08} a6 a5 a4 a3 a2 a1 a0 9f 9e $a128 = { d4 17 17 0e 5c 0b 08 16 1f 05 17 18 54 10 13 1f 1e 00 1a 4d 0e 0e 4a 1b 1d 09} 9d 9c 9b 9a 99 98 97 96 95 94 93 92 91 90 8f 8e 8d 8c 8b 8a 89 88 $a129 = { d5 e8 16 0d 5d 0c 09 15 1e 0a 16 1b 55 17 12 1c 1f 1f 1b 4e 0f 09 4b 18 1c 06} 87 86 85 84 83 82 81 80 7f 7e 7d 7c 7b 7a rule DecodedGenericCLSID : decodedOnly 7608 754c 7419 731f7207} 71 70 6f 6e 6d 6c 6b 6a 69 68 67 66 65 64 $a130 = { d6 e9 e9 0c 5e 0d 0e 14 1d 0b 19 1a 56 16 15 1d 1c 79 1e 78 04 77 4f 0c { 5e1e 5d1e 5c04} 5b 5a 59 58 57 56 55 54 53 52 51 50 4f 4e 4d $a131 = { d7 ea e8 f3 5f 0e 0f 13 1c 08 18 15 57 15 14 1a 1d 1d63056250610d600b5f4d meta: 4c06 4b51 4a12 490a 484e 471f46194505} 44 43 42 41 40 3f 3e 3d 3c 3b 3a 39 38 37 $a132 = { d0 eb eb f2 a0 0f 0c 12 1b 09 1b 14 58 14 17 1b 1a 1c impact = 0 3607 3552 3413 3315 324f311c30 2e 2d 2c 2b 2a 29 28 27 26 25 24 23 22 21 $a133 = { d1 ec ea f1 a1 f0 0d 11 1a 0e 1a 17 59 1b 16 18 1b 1b 182f02} strings: 1b1d 1a1b 1903} 18 17 16 15 14 13 12 11 10 0f 0e 0d 0c 0b 0a $a134 = { d2 ed ed f0 a2 f1 f2 10 19 0f 1d 16 5a 1a 19 19 18 1a20 001f531e101d141c50 $gen = /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/ nocase $a135 = { d3 ee ec f7 a3 f2 f3 ef 18 0c 1c 11 5b 19 18 16 19 1909 0108 5407 1106 1705 5104 0203 1a02 00}01 00} condition: condition: $a136 = { dc ef ef f6 a4 f3 f0 ee e7 0d 1f 10 5c 18 1b 17 16 18 02 55 16 16 52 03 05 01} 1 of them or17 $dec $a137 = { dd e0 ee f5 a5 f4 f1 ed e6 f2 1e 13 5d 1f 1a 14 17 17 $inc 03 56 11 53 00 04 1e} } $a138 = { de e1 e1 f4 a6 f5 f6 ec e5 f3 e1 12 5e 1e 1d 15 14 16} 0c 57 14 10 54 01 07 1f} $a139 = { $a140 = { $a141 = { $a142 = { $a143 = { $a144 = { $a145 = { $a146 = { $a147 = {

df e2 e0 fb a7 f6 f7 eb e4 f0 e0 ed 5f 1d 1c 12 15 15 0d 58 15 13 55 06 06 1c} d8 e3 e3 fa a8 f7 f4 ea e3 f1 e3 ec a0 1c 1f 13 12 14 0e 59 1a 12 56 07 01 1d} d9 e4 e2 f9 a9 f8 f5 e9 e2 f6 e2 ef a1 e3 1e 10 13 13 0f 5a 1b 1d 57 04 00 1a} da e5 e5 f8 aa f9 fa e8 e1 f7 e5 ee a2 e2 e1 11 10 12 08 5b 18 1c 58 05 03 1b} db e6 e4 ff ab fa fb e7 e0 f4 e4 e9 a3 e1 e0 ee 11 11 09 5c 19 1f 59 0a 02 18} c4 e7 e7 fe ac fb f8 e6 ef f5 e7 e8 a4 e0 e3 ef ee 10 0a 5d 1e 1e 5a 0b 0d 19} c5 f8 e6 fd ad fc f9 e5 ee fa e6 eb a5 e7 e2 ec ef ef 0b 5e 1f 19 5b 08 0c 16} c6 f9 f9 fc ae fd fe e4 ed fb e9 ea a6 e6 e5 ed ec ee f4 5f 1c 18 5c 09 0f 17} c7 fa f8 e3 af fe ff e3 ec f8 e8 e5 a7 e5 e4 ea ed ed f5 a0 1d 1b 5d 0e 0e 14}

rule KERNEL32_dll_xor_exe_key_239 { meta: author = "sconzo@visiblerisk.com" description = "xor encoded executable" string = "KERNEL32.dll" key = "239" byte_encode = true strings: $a = { a4 aa bd a1 aa a3 dc dd c1 8b 83 83 } condition: $a }

rule XOR_embeded_exefile_xored_with_round_256_bytes_key //Yara Exchange: Distribution and sharing prohibited without author's consent. Contact: yara@deependresearch.org { rule KERNEL32_dll_xor_exe_key_239 meta: { author = "villys777@gmail.com" meta: description = "executable encoded with increment author = "sconzo@visiblerisk.com" or decremented one byte xor key" decription = "extension PDF,XLS,DOC,PPT" description = "xor encoded executable" source = "Yara Exchange" string = "KERNEL32.dll" date = "2012-07" key = "239" byte_encode = true byte_encode = true strings: $inc = {00 01 02 03 04 05 06 07 08 09 0astrings: 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 3 $dec = {17 16 15 14 13 12 11 10 0f 0e 0d$a 0c=0b { a4 0aaa 09bd 08a1 07aa 06a3 05dc 04dd 03c1 028b 0183 0083 ff fe } fd fc fb fa f9 f8 f7 f6 f5 f4 f3 f2 f1 f0 ef ee ed ec eb ea e9 e8 e7 e6 e5 e4 e3 e2 e1 e condition: condition: $inc or $dec $a } }

rule mediaNewplayer: decodedPDF { meta: ref = "CVE-2009-4324" hide = true strings: $cve20094324 = "media.newPlayer" nocase fullword condition: 1 of them }

$a129 = { d5 e8 16 0d 5d 0c 09 15 1e 0a 16 1b 55 17 12 1c 1f 1f 1b 4e 0f 09 4b 18 1c 06} $a130 = { d6 e9 e9 0c 5e 0d 0e 14 1d 0b 19 1a 56 16 15 1d 1c 1e 04 4f 0c 08 4c 19 1f 07} $a131 = { d7 ea e8 f3 5f 0e 0f 13 1c 08 18 15 57 15 14 1a 1d 1d 05 50 0d 0b 4d 1e 1e 04} $a132 = { d0 eb eb f2 a0 0f 0c 12 1b 09 1b 14 58 14 17 1b 1a 1c 06 51 12 0a 4e 1f 19 05} $a133 = { d1 ec ea f1 a1 f0 0d 11 1a 0e 1a 17 59 1b 16 18 1b 1b 07 52 13 15 4f 1c 18 02} $a134 = { d2 ed ed f0 a2 f1 f2 10 19 0f 1d 16 5a 1a 19 19 18 1a 00 53 10 14 50 1d 1b 03} $a135 = { d3 ee ec f7 a3 f2 f3 ef 18 0c 1c 11 5b 19 18 16 19 19 01 54 11 17 51 02 1a 00} $a136 = { dc ef ef f6 a4 f3 f0 ee e7 0d 1f 10 5c 18 1b 17 16 18 02 55 16 16 52 03 05 01} $a137 = { dd e0 ee f5 a5 f4 f1 ed e6 f2 1e 13 5d 1f 1a 14 17 17 03 56 17 11 53 00 04 1e} $a138 = { de e1 e1 f4 a6 f5 f6 ec e5 f3 e1 12 5e 1e 1d 15 14 16 0c 57 14 10 54 01 07 1f} $a139 = { df e2 e0 fb a7 f6 f7 eb e4 f0 e0 ed 5f 1d 1c 12 15 15 0d 58 15 13 55 06 06 1c} $a140 = { d8 e3 e3 fa a8 f7 f4 ea e3 f1 e3 ec a0 1c 1f 13 12 14 0e 59 1a 12 56 07 01 1d} $a141 = { d9 e4 e2 f9 a9 f8 f5 e9 e2 f6 e2 ef a1 e3 1e 10 13 13 0f 5a 1b 1d 57 04 00 1a} $a142 = { da e5 e5 f8 aa f9 fa e8 e1 f7 e5 ee a2 e2 e1 11 10 12 08 5b 18 1c 58 05 03 1b} $a143 = { db e6 e4 ff ab fa fb e7 e0 f4 e4 e9 a3 e1 e0 ee 11 11 09 5c 19 1f 59 0a 02 18} $a144 = { c4 e7 e7 fe ac fb f8 e6 ef f5 e7 e8 a4 e0 e3 ef ee 10 0a 5d 1e 1e 5a 0b 0d 19} $a145 = { c5 f8 e6 fd ad fc f9 e5 ee fa e6 eb a5 e7 e2 ec ef ef 0b 5e 1f 19 5b 08 0c 16} $a146 = { c6 f9 f9 fc ae fd fe e4 ed fb e9 ea a6 e6 e5 ed ec ee f4 5f 1c 18 5c 09 0f 17} $a147 = { c7 fa f8 e3 af fe ff e3 ec f8 e8 e5 a7 e5 e4 ea ed ed f5 a0 1d 1b 5d 0e 0e 14} $a148 = { c0 fb fb e2 b0 ff fc e2 eb f9 eb e4 a8 e4 e7 eb ea ec f6 a1 e2 1a 5e 0f 09 15} $a149 = { c1 fc fa e1 b1 e0 fd e1 ea fe ea e7 a9 eb e6 e8 eb eb f7 a2 e3 e5 5f 0c 08 12} $a150 = { c2 fd fd e0 b2 e1 e2 e0 e9 ff ed e6 aa ea e9 e9 e8 ea f0 a3 e0 e4 a0 0d 0b 13} $a151 = { c3 fe fc e7 b3 e2 e3 ff e8 fc ec e1 ab e9 e8 e6 e9 e9 f1 a4 e1 e7 a1 f2 0a 10} $a152 = { cc ff ff e6 b4 e3 e0 fe f7 fd ef e0 ac e8 eb e7 e6 e8 f2 a5 e6 e6 a2 f3 f5 11} $a153 = { cd f0 fe e5 b5 e4 e1 fd f6 e2 ee e3 ad ef ea e4 e7 e7 f3 a6 e7 e1 a3 f0 f4 ee} $a154 = { ce f1 f1 e4 b6 e5 e6 fc f5 e3 f1 e2 ae ee ed e5 e4 e6 fc a7 e4 e0 a4 f1 f7 ef} $a155 = { cf f2 f0 eb b7 e6 e7 fb f4 e0 f0 fd af ed ec e2 e5 e5 fd a8 e5 e3 a5 f6 f6 ec} $a156 = { c8 f3 f3 ea b8 e7 e4 fa f3 e1 f3 fc b0 ec ef e3 e2 e4 fe a9 ea e2 a6 f7 f1 ed} $a157 = { c9 f4 f2 e9 b9 e8 e5 f9 f2 e6 f2 ff b1 f3 ee e0 e3 e3 ff aa eb ed a7 f4 f0 ea} $a158 = { ca f5 f5 e8 ba e9 ea f8 f1 e7 f5 fe b2 f2 f1 e1 e0 e2 f8 ab e8 ec a8 f5 f3 eb} $a159 = { cb f6 f4 ef bb ea eb f7 f0 e4 f4 f9 b3 f1 f0 fe e1 e1 f9 ac e9 ef a9 fa f2 e8} $a160 = { f4 f7 f7 ee bc eb e8 f6 ff e5 f7 f8 b4 f0 f3 ff fe e0 fa ad ee ee aa fb fd e9} $a161 = { f5 c8 f6 ed bd ec e9 f5 fe ea f6 fb b5 f7 f2 fc ff ff fb ae ef e9 ab f8 fc e6} $a162 = { f6 c9 c9 ec be ed ee f4 fd eb f9 fa b6 f6 f5 fd fc fe e4 af ec e8 ac f9 ff e7} $a163 = { f7 ca c8 d3 bf ee ef f3 fc e8 f8 f5 b7 f5 f4 fa fd fd e5 b0 ed eb ad fe fe e4} $a164 = { f0 cb cb d2 80 ef ec f2 fb e9 fb f4 b8 f4 f7 fb fa fc e6 b1 f2 ea ae ff f9 e5} $a165 = { f1 cc ca d1 81 d0 ed f1 fa ee fa f7 b9 fb f6 f8 fb fb e7 b2 f3 f5 af fc f8 e2} $a166 = { f2 cd cd d0 82 d1 d2 f0 f9 ef fd f6 ba fa f9 f9 f8 fa e0 b3 f0 f4 b0 fd fb e3} $a167 = { f3 ce cc d7 83 d2 d3 cf f8 ec fc f1 bb f9 f8 f6 f9 f9 e1 b4 f1 f7 b1 e2 fa e0} $a168 = { fc cf cf d6 84 d3 d0 ce c7 ed ff f0 bc f8 fb f7 f6 f8 e2 b5 f6 f6 b2 e3 e5 e1} $a169 = { fd c0 ce d5 85 d4 d1 cd c6 d2 fe f3 bd ff fa f4 f7 f7 e3 b6 f7 f1 b3 e0 e4 fe} $a170 = { fe c1 c1 d4 86 d5 d6 cc c5 d3 c1 f2 be fe fd f5 f4 f6 ec b7 f4 f0 b4 e1 e7 ff} $a171 = { ff c2 c0 db 87 d6 d7 cb c4 d0 c0 cd bf fd fc f2 f5 f5 ed b8 f5 f3 b5 e6 e6 fc} $a172 = { f8 c3 c3 da 88 d7 d4 ca c3 d1 c3 cc 80 fc ff f3 f2 f4 ee b9 fa f2 b6 e7 e1 fd} $a173 = { f9 c4 c2 d9 89 d8 d5 c9 c2 d6 c2 cf 81 c3 fe f0 f3 f3 ef ba fb fd b7 e4 e0 fa} $a174 = { fa c5 c5 d8 8a d9 da c8 c1 d7 c5 ce 82 c2 c1 f1 f0 f2 e8 bb f8 fc b8 e5 e3 fb} $a175 = { fb c6 c4 df 8b da db c7 c0 d4 c4 c9 83 c1 c0 ce f1 f1 e9 bc f9 ff b9 ea e2 f8} $a176 = { e4 c7 c7 de 8c db d8 c6 cf d5 c7 c8 84 c0 c3 cf ce f0 ea bd fe fe ba eb ed f9} $a177 = { e5 d8 c6 dd 8d dc d9 c5 ce da c6 cb 85 c7 c2 cc cf cf eb be ff f9 bb e8 ec f6} $a178 = { e6 d9 d9 dc 8e dd de c4 cd db c9 ca 86 c6 c5 cd cc ce d4 bf fc f8 bc e9 ef f7} $a179 = { e7 da d8 c3 8f de df c3 cc d8 c8 c5 87 c5 c4 ca cd cd d5 80 fd fb bd ee ee f4} $a180 = { e0 db db c2 90 df dc c2 cb d9 cb c4 88 c4 c7 cb ca cc d6 81 c2 fa be ef e9 f5} $a181 = { e1 dc da c1 91 c0 dd c1 ca de ca c7 89 cb c6 c8 cb cb d7 82 c3 c5 bf ec e8 f2} $a182 = { e2 dd dd c0 92 c1 c2 c0 c9 df cd c6 8a ca c9 c9 c8 ca d0 83 c0 c4 80 ed eb f3} $a183 = { e3 de dc c7 93 c2 c3 df c8 dc cc c1 8b c9 c8 c6 c9 c9 d1 84 c1 c7 81 d2 ea f0} $a184 = { ec df df c6 94 c3 c0 de d7 dd cf c0 8c c8 cb c7 c6 c8 d2 85 c6 c6 82 d3 d5 f1} $a185 = { ed d0 de c5 95 c4 c1 dd d6 c2 ce c3 8d cf ca c4 c7 c7 d3 86 c7 c1 83 d0 d4 ce} $a186 = { ee d1 d1 c4 96 c5 c6 dc d5 c3 d1 c2 8e ce cd c5 c4 c6 dc 87 c4 c0 84 d1 d7 cf} $a187 = { ef d2 d0 cb 97 c6 c7 db d4 c0 d0 dd 8f cd cc c2 c5 c5 dd 88 c5 c3 85 d6 d6 cc} $a188 = { e8 d3 d3 ca 98 c7 c4 da d3 c1 d3 dc 90 cc cf c3 c2 c4 de 89 ca c2 86 d7 d1 cd} $a189 = { e9 d4 d2 c9 99 c8 c5 d9 d2 c6 d2 df 91 d3 ce c0 c3 c3 df 8a cb cd 87 d4 d0 ca} $a190 = { ea d5 d5 c8 9a c9 ca d8 d1 c7 d5 de 92 d2 d1 c1 c0 c2 d8 8b c8 cc 88 d5 d3 cb} $a191 = { eb d6 d4 cf 9b ca cb d7 d0 c4 d4 d9 93 d1 d0 de c1 c1 d9 8c c9 cf 89 da d2 c8} $a192 = { 94 d7 d7 ce 9c cb c8 d6 df c5 d7 d8 94 d0 d3 df de c0 da 8d ce ce 8a db dd c9} $a193 = { 95 a8 d6 cd 9d cc c9 d5 de ca d6 db 95 d7 d2 dc df df db 8e cf c9 8b d8 dc c6} $a194 = { 96 a9 a9 cc 9e cd ce d4 dd cb d9 da 96 d6 d5 dd dc de c4 8f cc c8 8c d9 df c7} $a195 = { 97 aa a8 b3 9f ce cf d3 dc c8 d8 d5 97 d5 d4 da dd dd c5 90 cd cb 8d de de c4} $a196 = { 90 ab ab b2 e0 cf cc d2 db c9 db d4 98 d4 d7 db da dc c6 91 d2 ca 8e df d9 c5} $a197 = { 91 ac aa b1 e1 b0 cd d1 da ce da d7 99 db d6 d8 db db c7 92 d3 d5 8f dc d8 c2} $a198 = { 92 ad ad b0 e2 b1 b2 d0 d9 cf dd d6 9a da d9 d9 d8 da c0 93 d0 d4 90 dd db c3} $a199 = { 93 ae ac b7 e3 b2 b3 af d8 cc dc d1 9b d9 d8 d6 d9 d9 c1 94 d1 d7 91 c2 da c0} $a200 = { 9c af af b6 e4 b3 b0 ae a7 cd df d0 9c d8 db d7 d6 d8 c2 95 d6 d6 92 c3 c5 c1} $a201 = { 9d a0 ae b5 e5 b4 b1 ad a6 b2 de d3 9d df da d4 d7 d7 c3 96 d7 d1 93 c0 c4 de} $a202 = { 9e a1 a1 b4 e6 b5 b6 ac a5 b3 a1 d2 9e de dd d5 d4 d6 cc 97 d4 d0 94 c1 c7 df} $a203 = { 9f a2 a0 bb e7 b6 b7 ab a4 b0 a0 ad 9f dd dc d2 d5 d5 cd 98 d5 d3 95 c6 c6 dc} $a204 = { 98 a3 a3 ba e8 b7 b4 aa a3 b1 a3 ac e0 dc df d3 d2 d4 ce 99 da d2 96 c7 c1 dd} $a205 = { 99 a4 a2 b9 e9 b8 b5 a9 a2 b6 a2 af e1 a3 de d0 d3 d3 cf 9a db dd 97 c4 c0 da} $a206 = { 9a a5 a5 b8 ea b9 ba a8 a1 b7 a5 ae e2 a2 a1 d1 d0 d2 c8 9b d8 dc 98 c5 c3 db} $a207 = { 9b a6 a4 bf eb ba bb a7 a0 b4 a4 a9 e3 a1 a0 ae d1 d1 c9 9c d9 df 99 ca c2 d8} $a208 = { 84 a7 a7 be ec bb b8 a6 af b5 a7 a8 e4 a0 a3 af ae d0 ca 9d de de 9a cb cd d9} $a209 = { 85 b8 a6 bd ed bc b9 a5 ae ba a6 ab e5 a7 a2 ac af af cb 9e df d9 9b c8 cc d6} $a210 = { 86 b9 b9 bc ee bd be a4 ad bb a9 aa e6 a6 a5 ad ac ae b4 9f dc d8 9c c9 cf d7} $a211 = { 87 ba b8 a3 ef be bf a3 ac b8 a8 a5 e7 a5 a4 aa ad ad b5 e0 dd db 9d ce ce d4} $a212 = { 80 bb bb a2 f0 bf bc a2 ab b9 ab a4 e8 a4 a7 ab aa ac b6 e1 a2 da 9e cf c9 d5} $a213 = { 81 bc ba a1 f1 a0 bd a1 aa be aa a7 e9 ab a6 a8 ab ab b7 e2 a3 a5 9f cc c8 d2} $a214 = { 82 bd bd a0 f2 a1 a2 a0 a9 bf ad a6 ea aa a9 a9 a8 aa b0 e3 a0 a4 e0 cd cb d3} $a215 = { 83 be bc a7 f3 a2 a3 bf a8 bc ac a1 eb a9 a8 a6 a9 a9 b1 e4 a1 a7 e1 b2 ca d0} $a216 = { 8c bf bf a6 f4 a3 a0 be b7 bd af a0 ec a8 ab a7 a6 a8 b2 e5 a6 a6 e2 b3 b5 d1} $a217 = { 8d b0 be a5 f5 a4 a1 bd b6 a2 ae a3 ed af aa a4 a7 a7 rule b3XOR_embeded_exefile_xored_with_round_256_bytes_key e6 a7 a1 e3 b0 b4 ae} $a218 = { 8e b1 b1 a4 f6 a5 a6 bc b5 a3 b1 a2 ee ae ad a5 a4 a6 //Yara bc e7 Exchange: a4 a0 e4 Distribution b1 b7 af} and sharing prohibited without author's $a219 = { 8f b2 b0 ab f7 a6 a7 bb b4 a0 b0 bd ef ad ac a2 a5 a5consent. bd e8 a5 Contact: a3 e5 b6 yara@deependresearch.org b6 ac} $a220 = { 88 b3 b3 aa f8 a7 a4 ba b3 a1 b3 bc f0 ac af a3 a2 a4{ be e9 aa a2 e6 b7 b1 ad} $a221 = { 89 b4 b2 a9 f9 a8 a5 b9 b2 a6 b2 bf f1 b3 ae a0 a3 a3meta: bf ea ab ad e7 b4 b0 aa} $a222 = { 8a b5 b5 a8 fa a9 aa b8 b1 a7 b5 be f2 b2 b1 a1 a0 a2 author b8 eb= a8 "villys777@gmail.com" ac e8 b5 b3 ab} $a223 = { 8b b6 b4 af fb aa ab b7 b0 a4 b4 b9 f3 b1 b0 be a1 a1description b9 ec a9 af = e9 "executable ba b2 a8}encoded with increment or decremented $a224 = { b4 b7 b7 ae fc ab a8 b6 bf a5 b7 b8 f4 b0 b3 bf be a0one ba ed byte aexor ae key" ea bb bd a9} $a225 = { b5 88 b6 ad fd ac a9 b5 be aa b6 bb f5 b7 b2 bc bf bfdecription bb ee af a9 = "extension eb b8 bc a6} PDF,XLS,DOC,PPT" $a226 = { b6 89 89 ac fe ad ae b4 bd ab b9 ba f6 b6 b5 bd bc be source a4 ef =ac"Yara a8 ecExchange" b9 bf a7} $a227 = { b7 8a 88 93 ff ae af b3 bc a8 b8 b5 f7 b5 b4 ba bd bddate a5 f0= ad "2012-07" ab ed be be a4} $a228 = { b0 8b 8b 92 c0 af ac b2 bb a9 bb b4 f8 b4 b7 bb ba bc byte_encode a6 f1 b2 aa =eetrue bf b9 a5} $a229 = { b1 8c 8a 91 c1 90 ad b1 ba ae ba b7 f9 bb b6 b8 bb bb strings: a7 f2 b3 b5 ef bc b8 a2} $a230 = { b2 8d 8d 90 c2 91 92 b0 b9 af bd b6 fa ba b9 b9 b8 ba $inc a0 =f3{00 b0 01 b4 02 f0 bd 03 bb 04 a3} 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 $a231 = { b3 8e 8c 97 c3 92 93 8f b8 ac bc b1 fb b9 b8 b6 b9 b914a115f416 b117 b718 f1 19 a2 1a ba 1b a0}1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 $a232 = { bc 8f 8f 96 c4 93 90 8e 87 ad bf b0 fc b8 bb b7 b6 b82a a22b f5 b6 2c 2d b6 2e f2 a3 2f 30 a5 31 a1}32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 $a233 = { bd 80 8e 95 c5 94 91 8d 86 92 be b3 fd bf ba b4 b7 b7 41a3 42f643b744b145f346 a047 a448 be}49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 $a234 = { be 81 81 94 c6 95 96 8c 85 93 81 b2 fe be bd b5 b4 b6 57 ac 58f7 59b4 5ab0 5bf45c a15d a75e bf}5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c $a235 = { bf 82 80 9b c7 96 97 8b 84 90 80 8d ff bd bc b2 b5 b56d ad6e f86f b570 b371 f572 a673 a674 bc}75 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 $a236 = { b8 83 83 9a c8 97 94 8a 83 91 83 8c c0 bc bf b3 b2 b4 84ae 85f986ba87b288f689 a78a a18b bd} 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 $a237 = { b9 84 82 99 c9 98 95 89 82 96 82 8f c1 83 be b0 b3 b3 9a af 9bfa9cbb9dbd9ef79fa4a0a0a1ba} a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 $a238 = { ba 85 85 98 ca 99 9a 88 81 97 85 8e c2 82 81 b1 b0 b1 b2 b2 a8 b3 fb b8 b4 bc b5f8 b6a5 b7a3 b8bb} b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 $a239 = { bb 86 84 9f cb 9a 9b 87 80 94 84 89 c3 81 80 8e b1 b1 c8 a9 c9 fc cab9 cbbf ccf9cdaacea2cfb8} d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de $a240 = { a4 87 87 9e cc 9b 98 86 8f 95 87 88 c4 80 83 8f 8e b0 dfaa e0fd e1be e2be e3fae4 abe5 ade6 b9} e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 $a241 = { a5 98 86 9d cd 9c 99 85 8e 9a 86 8b c5 87 82 8c 8f 8ff7ab f8 fe f9 bf fa b9 fb fc fbfd a8feac ff b6} 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e $a242 = { a6 99 99 9c ce 9d 9e 84 8d 9b 89 8a c6 86 85 8d 8c 8e 0f 10 94 11 ff bc 12b8 13fc14a915af16 b7}17} $a243 = { a7 9a 98 83 cf 9e 9f 83 8c 98 88 85 c7 85 84 8a 8d 8d $dec 95 c0 = {17 bd bb 16 fd 15ae 14ae 13b4} 12 11 10 0f 0e 0d 0c 0b 0a 09 08 07 06 05 04 $a244 = { a0 9b 9b 82 d0 9f 9c 82 8b 99 8b 84 c8 84 87 8b 8a 8c 0396 02c1 0182 00ba ff fe fe fd af fc a9fbb5} fa f9 f8 f7 f6 f5 f4 f3 f2 f1 f0 ef ee ed ec eb ea $a245 = { a1 9c 9a 81 d1 80 9d 81 8a 9e 8a 87 c9 8b 86 88 8b e9 8b e8 97 e7 c2 83 e6 85 e5 ff e4ace3a8e2b2} e1 e0 df de dd dc db da d9 d8 d7 d6 d5 d4 $a246 = { a2 9d 9d 80 d2 81 82 80 89 9f 8d 86 ca 8a 89 89 88 8a d3 90 d2 c3 d1 80 d0 84 cf ce c0 cd ad cc abcb b3}ca c9 c8 c7 c6 c5 c4 c3 c2 c1 c0 bf be bd $a247 = { a3 9e 9c 87 d3 82 83 9f 88 9c 8c 81 cb 89 88 86 89 89 bc91 bbc4 ba81 b987 b8c1 b792 b6aa b5b0} b4 b3 b2 b1 b0 af ae ad ac ab aa a9 a8 a7 $a248 = { ac 9f 9f 86 d4 83 80 9e 97 9d 8f 80 cc 88 8b 87 86 88a6 92a5 c5a4 86a3 86a2 c2a1 93a0 959fb1} 9e 9d 9c 9b 9a 99 98 97 96 95 94 93 92 91 $a249 = { ad 90 9e 85 d5 84 81 9d 96 82 8e 83 cd 8f 8a 84 87 87 90 93 8f 8e c6 8d 87 8c 81 8b c3 8a 90 89 94 88 8e}87 86 85 84 83 82 81 80 7f 7e 7d 7c 7b 7a rule DecodedGenericCLSID : decodedOnly $a250 = { ae 91 91 84 d6 85 86 9c 95 83 91 82 ce 8e 8d 85 84 79 86 78 9c c7 77 84 76 80 75 c4 74 91 73 97 72 8f} 71 70 6f 6e 6d 6c 6b 6a 69 68 67 66 65 64 { $a251 = { af 92 90 8b d7 86 87 9b 94 80 90 9d cf 8d 8c 82 85 85 639d 62c8 6185 6083 5fc5 5e96 5d96 5c8c} 5b 5a 59 58 57 56 55 54 53 52 51 50 4f 4e 4d meta: $a252 = { a8 93 93 8a d8 87 84 9a 93 81 93 9c d0 8c 8f 83 82 84 4c 9e 4b c9 4a 8a 49 82 48 c6 4797 4691 458d} 44 43 42 41 40 3f 3e 3d 3c 3b 3a 39 38 37 impact = 0 $a253 = { a9 94 92 89 d9 88 85 99 92 86 92 9f d1 93 8e 80 83 83 36 9f 35ca 348b 338d 32c7 3194 3090 2f 8a} 2e 2d 2c 2b 2a 29 28 27 26 25 24 23 22 21 strings: $a254 = { aa 95 95 88 da 89 8a 98 91 87 95 9e d2 92 91 81 80 20 82 1f 981e cb1d 881c 8c1b c81a 9519 9318 8b}17 16 15 14 13 12 11 10 0f 0e 0d 0c 0b 0a $gen = /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/ nocase $a255 = { ab 96 94 8f db 8a 8b 97 90 84 94 99 d3 91 90 9e 81 81 09 99 08 cc 07 89 06 8f 05c9 049a 0392 0288} 01 00} condition: condition: condition: 1 of them any of them $inc or $dec } } } rule kernel32_dll_xor_exe_key_167 { meta: author = "sconzo@visiblerisk.com" description = "xor encoded executable" string = "kernel32.dll" key = "167" byte_encode = true strings: $a = { cc c2 d5 c9 c2 cb 94 95 89 c3 cb cb } condition: $a }

rule KERNEL32_dll_xor_exe_key_239 { meta: author = "sconzo@visiblerisk.com" description = "xor encoded executable" string = "KERNEL32.dll" key = "239" byte_encode = true strings: $a = { a4 aa bd a1 aa a3 dc dd c1 8b 83 83 } condition: $a }

rule XOR_embeded_exefile_xored_with_round_256_bytes_key //Yara Exchange: Distribution and sharing prohibited without author's consent. Contact: yara@deependresearch.org { rule KERNEL32_dll_xor_exe_key_239 meta: { author = "villys777@gmail.com" meta: description = "executable encoded with increment author = "sconzo@visiblerisk.com" or decremented one byte xor key" decription = "extension PDF,XLS,DOC,PPT" description = "xor encoded executable" source = "Yara Exchange" string = "KERNEL32.dll" date = "2012-07" key = "239" byte_encode = true byte_encode = true strings: $inc = {00 01 02 03 04 05 06 07 08 09 0astrings: 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 3 $dec = {17 16 15 14 13 12 11 10 0f 0e 0d$a 0c=0b { a4 0aaa 09bd 08a1 07aa 06a3 05dc 04dd 03c1 028b 0183 0083 ff fe } fd fc fb fa f9 f8 f7 f6 f5 f4 f3 f2 f1 f0 ef ee ed ec eb ea e9 e8 e7 e6 e5 e4 e3 e2 e1 e condition: condition: $inc or $dec $a } }

rule xor_0xa7_kernel32_dll {strings: $a={ cc c2 d5 c9 c2 cb 94 95 rule 89xor_0xa7_This_program c3 cb cb } condition: $a }{strings: $a={ f3 cf ce d4 87 d7 d5 c8 c0 d5rule c6 xor_0xa7_This_program ca } condition: $a } {strings: $a={ f3 cf ce d4 87 d7 d5 c8 c0 d5 c6 ca } condition: $a } rule dyndns_a_la { strings: $a = "a.la" condition: $a } rule MSIEUseAfterFreePeersDll rule MSIEUseAfterFreePeersDll { { meta: meta: ref = "CVE-2010-0806" rule ShellcodePattern ref = "CVE-2010-0806" hide = true { hide = true impact = 5 meta: impact = 5 strings: impact = 1 //while testing strings: rule DecodedGenericCLSID : decodedOnly $cve20100806_1 = "createElement" nocase fullword hide = true $cve20100806_1 = "createElement" { nocase fullword $cve20100806_2 = "onclick" nocase fullword rule pdf_document strings: $cve20100806_2 = "onclick" meta: nocase fullword $cve20100806_3 = "setAttribute" nocase fullword { $unescape = "unescape" fullword nocase$cve20100806_3 = "setAttribute" impact = 0 nocase fullword $cve20100806_4 = "window.status" nocase fullword strings: $shellcode = /%u[A-Fa-f0-9]{4}/ $cve20100806_4 = "window.status" strings: nocase fullword $cve20100806_5 = /getElementById[^<>;]+\.onclick/ nocase $a = "%PDF-" $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/ $cve20100806_5 = /getElementById[^<>;]+\.onclick/ $gen = /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/ nocase nocase condition: condition: condition: condition: condition: all of them $a at 0 ($unescape and $shellcode) or $shellcode5 all of them 1 of them } } } } } rule dyndns_ath_ro { strings: $a = "ath.ro" condition: $a }

"rule ShellcodePattern { meta: impact = 1 //while testing hide = true strings: $unescape = ""unescape"" fullword nocase $shellcode = /%u[A-Fa-f0-9]{4}/ $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/ condition: ($unescape and $shellcode) or $shellcode5 } "

rule MSIEUseAfterFreePeersDll { meta: ref = "CVE-2010-0806" rule ShellcodePattern hide = true { impact = 5 meta: strings: rule DecodedGenericCLSID impact =: 1decodedOnly //while testing $cve20100806_1 = "createElement" nocase { fullword hide = true $cve20100806_2 = "onclick" nocase fullword meta: strings: $cve20100806_3 = "setAttribute" nocase impact fullword= 0 $unescape = "unescape" fullword nocase $cve20100806_4 = "window.status" nocase strings: fullword $shellcode = /%u[A-Fa-f0-9]{4}/ $cve20100806_5 = /getElementById[^<>;]+\.onclick/ $gen = /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/ nocase $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/ nocase condition: condition: condition: all of them 1 of them ($unescape and $shellcode) or $shellcode5 } } } rule dyndns_ath_ro { strings: $a = "ath.ro" condition: $a }

Author: Francois Paget www.avertlabs.com "An Overview of Exploit Packs." Additions by Mila P (contagiodump.blogspot. com) with many thanks to Gunther from ARTeam (www. accessroot.com) for his help. REFERENCES McAfee Francois Paget Malwaredomainlist.com www.hackforums.net Jorge Mieres Brian Krebs KrebsonSecurity Jorge Mieres malwareint.blogspot.com Malwarereview.com exploit.in Malwarereview.com damagelab.org damagelab.org malwareint.blogspot.com mipistus.blogspot.com malwareint.blogspot.com

An Overview of Exploit Packs Crimepack 2.2.1 Crimepack 2.8. Crimepack 3.0 CRiMEPACK Zombie Exploit Gets Upgrades Eleonore 1.3. A Peek Inside the ‘Eleonore’ Browser Exploit Kit State of the art in Eleonore Exploit Pack Impassioned Framwork Phoenix exploit pack v2 Unique exploit pack v.2.1 Unique Pack Sploit v.2 Eleonore 1.4.1 JustExploit ZoPAck Fragus v1 Siberia. Intelligence and operational level by Siberia Exploit Jamieres http://www.offensivecomputing.netPack malwareview.com Liberty 1.0.7 exploit system kit WHB · Liberty 2.1.0 exploit system kit damagelab.org Lupit exploit pack malwareview.com http://malwareview.com/index.php?topic=775 http://malwareint.blogspot.com/2010/05/intelligence-andmalwareint.blogspot.com operational-level-by.html http://secniche.blogspot.com/2010/10/phoenix-exploit-kit-24Malware at Stake Aditya K Sood analysis.html

Analysis 5/28/2010 Ad 3/18/2010 Ad 4/10/2010 Analysis 5/26/2010 Analysis 1/25/2010 Analysis 4/10/2010 Ad 5/24/2010 Analysis 4/21/2010 Ad 10/19/2009 Ad 10/6/2009 Ad Analysis 11/29/2009 Analysis 11/2/2009 Analysis 8/15/2009

http://malwareint.blogspot.com

Analysis 10/6/2010

http://whsbehind.blogspot.com http://evilcodecave.blogspot.com http://blog.ahnlab.com

Eleonore Exploit Pack. New version http://whsbehind.blogspot.com/2010/09/new-linkedin-phishingcampaign-with-seo.html http://evilcodecave.blogspot.com/2010/06/reverseengineering-of-seo-sploit-kit.html http://blog.ahnlab.com/asec/366 (I think javad listed by ahnlab as CVE-2009-1493 is actually CVE-2008-5353 - let me know if I am wrong here)-Mila

Analysis 5/29/2010 Ad 9/29/2009 Ad 12/23/2009 Ad 5/28/2010 Ad 7/21/2010 Analysis

5/5/2010

Analysis 10/15/2010

Analysis 9/29/2010 Analysis 6/29/2010 Analysis 7/20/2010

http://forum.hackersoft.ru/showthread.php? t=13732 http://forum.hackersoft.ru/showthread.php?t=13732

Bleeding life

Websense Blackhole exploit kit decoded Tex comment on contagio Incognito

WildWildWest Update Eleonore 1.6.3a Eleonore 1.6.4 Tex comment on contagio Phoenix2.7 "Dloader" or ? Uknown name nuclear pack Robopak Blackhole exploit kit 1.1.0 Mushroom/unkow Open Source Exploit kit Bomba Papka Merry Christmas Pack Best Pack Sava LinuQ LinuQ LinuQ Eleonore 1.6.5 Zero pack Zero pack Beleeding Life 3 Blackhole 1.2.0 Blackhole 1.2.1 Sakura Exploit Pack 1.0 Phoenix 2.8 mini Fragus black Hierarchy Exploit pack Siberia Explot pack Techno Xpack Yang Pack Blackhole Exploit Kit 1.2.3 Blackhole Exploit Kit 1.2.3 Eleonore Exploit Kit 1.8.91 Incognito Exploit Pack v.2 Phoenix Exploit Kit v3.1 Chinese Zhi Zhu Pack Gong Da Pack Dragon Pack

Sakura 1.1 Nucsoft Blackhole 2 Blackhole 2

Blackhole 1.2.5

It still has this http://www.metasploit. com/modules/exploit/multi/browser/java_signed_applet) 2.0 Phoenix 2.3 - Ted said... Phoenix Exploit’s Kit v2.3. It was released in early 07-y 2010 at a cost of USD 2.200. One of the most important changes in this release was PDF libtiff support the use of bypass ASLR, DEP more for PDF file reader Adobe Reader on your version 8.0-9.3.0 for Windows Vista and Windows7. Blackhole exploit kit http://pastebin.com/shAEj8XK Incognito http://www.kahusecurity.com/2011/incognito-exploit-kit http://www.kahusecurity.com/wpcontent/uploads/2011/05/384x1500xwildwildwest_0511.jpg. pagespeed.ic.pw5QWio8Au.jpg http://www.opensc.ws/unverified-listings/13041-eleonore-expactual-exploits-pack.html http://www.forum.zloy.bz/showthread.php?t=124798 Go1pack http://scriptkiddiesec.blogspot.com/ http://damagelab.org/lofiversion/index.php?t=20852 http://forum.zloy.bz/archive/index.php?t-28859.html http://zae-biz.com/showthread.php?139-svjazka-Robopak. html http://zae-biz.com/showthread.php?108-Black-Hole-ExploitsKit-svjazka-jeksplojjtov.html http://www.kahusecurity.com/2011/new-unknown-exploit-kit-2/ http://www.kahusecurity.com/2011/metasploit-pack/ /www.kahusecurity.com /www.kahusecurity.com maymaym http://www.kahusecurity.com/2011/best-pack/ http://www.kahusecurity.com/2011/sava-exploits-pack/ https://damagelab.org/index.php?showtopic=21876 http://www.xaker.name/forvb/showthread.php?p=153371 pack http://hacker-pro.net/showthread.php?t=30721 http://www.opensc.ws/trojan-malware-samples/13246-zeroexploit-kit.html pack http://www.opensc.ws/unverified-listings/16175-bleedinglife-30-free-updates-amazing-features.html http://xylibox.blogspot.com/2011/09/blackhole-exploit-kit-v120. html

Blog Ted comment Analysis 02-'11 Analysis 04-'11 Analysis Analysis 04-'11

Analysis Ad 04-'11 ad 04-'11 Analysis 04-'11 ad ad ad ad

03-'11

ad 04-'11 Analysis 05-'11 Analysis 05-'11

Analysis 08-'11 Analysis 06-'11 Analysis 06-'11 Ad 07-'11 Ad 07-'11 ad reprint 05-'11? Ad discussion 02-'11? 02-'11? Ad

08-'11

Ad/analysis 09-'11

http://xylibox.blogspot.com/2011/12/blackhole-v121.html Ad/analysis 09-'11 http://xylibox.blogspot.com/2012/01/sakura-exploit-pack-10. html Ad/analysis 01-'12 http://malwareint.blogspot.com/2011/10/inside-phoenixexploits-kit-28-mini.html Ad/analysis 11-'11 from the pack contents 01-'12 kahusecurity.com - via email 01-'12 kahusecurity.com - via email 01-'12 kahusecurity.com - via email 01-'12 kahusecurity.com - via email 01-'12 Kahu Security 03-'12 F-Secure 03-'12 Kahu Security 03-'12 re Atomic Java saw pcap and off the record email from a researcher 03-'12 via Malware Don't Need Coffee 04 '12 via Kahu Security 02-'12 Kahu Security 03-'12 DaMaGeLab 12-'10 https://damagelab.org/index.php? showtopic=22663&pid=131743&st=0&#entry131743 http://prologic.su/topic/8484-kuplju-svjazku/ http://pastebin.com/DjGi7iyf Blackhole Exploit Kits update to v2.0 | Malware don't need Coffee http://malware.dontneedcoffee.com/2012/07/cve-2012-1723on-bh-ek.html#!/2012/07/cve-2012-1723-on-bh-ek.html + plus seller ads

08-'12 12 09-'12 09-'12

08-'12

http://malware.dontneedcoffee.com/2012/08/cve-2012-4681sweet-orange.html 09-'12 http://damagelab.org/lofiversion/index.php?t=22705 04-'12 http://exploit.in/forum/index.php?showtopic=57286&st=20 9-'12 http://www.kahusecurity.com/2012/crimeboss-exploit-pack/ 9-'12 http://www.kahusecurity.com/2012/neosploit-gets-java-0-day/ http://exploit.in/forum/index.php?showtopic=14526&st=60 4'12 http://www.binrand.com/post/2657885-cve-firefox-phoenixPhoenix 3.1.15 exploit-pack.html 07-'12 No Name http://pastebin.com/TV5MSUpu 09-'12 http://www.binrand.com/post/3616076-cve-java-cve-2010No Name 0188-pdf-libtiff-cve-2012-1723.html 09-'12 Cool exploit pack http://malware.dontneedcoffee.com/2012/10/newcoolek.html 10-'12 http://malware.dontneedcoffee.com/2012/08/cve-2012-4681Redkit redkit-exploit-kit-i-want.html 08-'12 http://blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears. Redkit html 05-'12 AssocAid http://twitter.yfrog.com/z/odzi7yep (mentioned by Brian Krebs) 09-'12 Cool Exploit Kit via Malware Don't Need Coffee 01-'13 CVE-2013-0422 via Malware Don't Need Coffee 01-'13 Sweet Orange via Malware Don't Need Coffee 12-'12 Whitehole Exploit Kit via Malware Don't Need Coffee 02-'13 Red Dot Exploit Kit via Malware Don't Need Coffee 01-'13 Styx 2.0 via Malware Don't Need Coffee 12-'12 Impact Exploit Kit via Malware Don't Need Coffee 11-'12 CVE-2013-0431 via Metasploit Blog 02-'13 http://eromang.zataz.com/2013/02/26/gong-da-gondadGong Da CVE-2013-0633 exploit-pack-add-flash-cve-2013-0633-support/ 02-'13 http://malware.dontneedcoffee. Popads com/2013/02/jre17u15unpatchedvuln.html 02-'13 http://blogs.mcafee.com/mcafee-labs/red-kit-an-emergingRedkit CVE-2012-1723 exploit-pack 01--'13 http://malware.dontneedcoffee.com/2012/11/meet-critxpackCritXPack previously-vintage-pack.html 03-'13 http://www.malwaresigs.com/2013/02/09/critxpack-adds-cveCritXpack CVE-2012-4792 2012-4792/ 03-'13 Sweet Orange @kafeine: CVE-2013https://twitter. 0431. No Serialization. com/kafeine/status/306519884894973953/photo/1 02-'13 http://pastebin.com/WXtgUHA6 KAFEINE ON JAN 25TH, Coolpack cve-2012-1876,1889,4792 2013 01-'13 http://malware.dontneedcoffee.com/2013/03/hello-neutrinoNeutrino just-one-more-exploit-kit.html 03-'13 http://malware.dontneedcoffee.com/2013/01/news-bullets-cve2012-0775-cve-2012.html http://malware.dontneedcoffee.com/2013/03/cve-2013-0634Coolpack CVE-2013-0634 adobe-flash-player.html 03-'13 http://malware.dontneedcoffee.com/2013/03/cve-2013-1493Coolpack CVE-2013-1493 jre17u15-jre16u41.html 03-'13 http://www.invincea.com/2013/02/popular-site-speedtest-netG01pack compromised-by-exploitdrive-by-stopped-by-invincea/ 02-.13 http://malware.dontneedcoffee.com/2013/04/meet-safe-packSafe Pack v2.0 v20-again.html 04-'13 http://malware.dontneedcoffee.com/2013/04/cve-2013-2423Coolpack CVE-2013-2423 integrating-exploit-kits.html 04-'13 https://twitter. Whitehole CVE-2013-1493 com/PhysicalDrive0/status/327108913797402624 04-'13 CVE-2013-2423 in CritX,CrimeBoss , Cool https://twitter.com/TimoHirvonen/status/327052978127269888 04-'13 http://1.bp.blogspot.com/Alpha pack NBeH_NIZFEE/UKZfCZvF3bI/AAAAAAAAMTE/FC9u0HKypcM/s1600/16-11-2012+16-42-07.jpg 10-'12 http://www.kahusecurity.com/page/2/? CVE-2013-0422 in Impact Pack wptouch_redirect=uyjxqcte 01-'13 SPL pack http://ondailybasis.com/blog/?p=1774 01-'13 https://urlquery.net/report.php?id=1229289 Serenity pack http://www.xylibox.com/2012/11/serenity-exploit-kit.html 11-'12 http://eromang.zataz.com/2013/02/26/gong-da-gondadGong Da CVE-2013-0634 exploit-pack-add-flash-cve-2013-0634-support/ 02-'13 Gong Da CVE-2013-1493 , CVE-2012http://eromang.zataz.com/2013/04/15/gong-da-gondad4792,CVE-2012-4969 exploit-kit-add-java-cve-2013-1493-ie-cve-2012-4969-support/ 04-'13 http://www.symantec.com/connect/blogs/java-exploit-cveremoved 04-25-2013 Kafeine confirmed that Symantec and F-Secure Redkit CVE-2013-2423 2013-2423-coverage 04-'13 reports are incorrect Redkit, Sibhost, nuclear, Cool CVE-2012- http://malware.dontneedcoffee.com/2012/11/cve-2012-50765076 massively-adopted.html 11-'12 http://eromang.zataz.com/2012/12/02/cool-exploit-kit-removeCool CVE-2012-1723 support-of-java-cve-2012-1723/ 12-'12 http://eromang.zataz.com/2012/12/05/kaixin-exploit-kitKaixin evolutions/ 12-'12 http://malware.dontneedcoffee.com/2013/02/cve-2013-0431CVE-2013-0431 java-17-update-11.html 02-.13 Crimeboss http://ondailybasis.com/blog/?p=1890 03-'13 http://community.websense. com/blogs/securitylabs/archive/2013/03/25/how-are-javaStyx attacks-getting-through.aspx 03-'13 Neutrino cve-2013-2423 https://twitter.com/kafeine/status/328099177106112513 04-.13 Sweet Orange cve-2013-2423 https://twitter.com/kafeine/status/328155237233852416 04-.13 Sakura cve-2013-2423 https://twitter.com/kafeine/status/328116559161741313 04-.13 Styx cve-2013-2423 https://twitter.com/kafeine/status/328220568883167232 04-.13 https://twitter. Whitehole cve-2013-2423 com/PhysicalDrive0/status/327108913797402624 04-.13 RedKit CVE-2013-2423 https://gist.github.com/jurg/8c49b2f11da4753a1174 04-.13 http://malware.dontneedcoffee.com/2013/03/hello-neutrinoNeutrino CVE-2013-1493 just-one-more-exploit-kit.html 3/13/2013 http://malware.dontneedcoffee.com/2013/08/cve-2013-2465CVE-2013-2465 integrating-exploit-kits.html?q=Neutrino 08-13 http://malwageddon.blogspot.nl/2013/09/unknown-ek-by-wayLightsOut how-much-is-fish.html 09-'13 http://blogs.cisco.com/security/watering-hole-attacks-targetLightsOut energy-sector/ 09-'13 https://blog.avast.com/2013/11/20/fallout-from-nuclear-packNuclear exploit-kit-highly-toxic-for-windows-machines/ 11-'13 http://vrt-blog.snort.org/2013/11/im-calling-this-goon-exploitGoon kit-for-now.html 11-'13 http://blog.fox-it.com/2013/03/06/seen-in-the-wild-updatedNice Pack exploit-kits/ 03-'13 Redkit http://www.kahusecurity.com/2013/digging-deeper-into-redkit/ 05-'13 http://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kitRedkit part-2/ 05-'13 http://www.kahusecurity.com/2013/analyzing-dotkachefDotkaChef exploit-pack/ 12-'13 http://blog.fox-it.com/2013/08/01/analysis-of-maliciousFlimkit advertisements-on-telegraaf-nl/ 08-'13 http://malware.dontneedcoffee.com/2013/08/cve-2013-2465Flimkit integrating-exploit-kits.html 08-'13 http://www.kahusecurity.com/2013/deobfuscating-magnitudeMagnitude / Death Touch exploit-kit/ 11-'13 Magnitude / Death Touch http://malware.dontneedcoffee.com/2013/10/Magnitude.html 10-'13 http://malware.dontneedcoffee.com/2013/11/cve-2013-2551Magnitude / Death Touch and-exploit-kits.html 11-'13 http://malware.dontneedcoffee.com/2013/07/pep-new-bep. Private EK html 07-'13 http://malware.dontneedcoffee.com/2013/09/jre7u21-andPrivate EK cve-2013-2460 earlier-click-2-play.html 09-'13 http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek. Cool/Styxy html 07-'13 Sweet orange Sweet orange Grandsoft Crimeboss Neosploit Nuclear pack 2.0

Cool/Styxy Styx (aka Kein) Styx Styx CVE-2013-2472 Styx CVE-2012-1723, CVE-2013-2463, CVE-2013-2460 Angler Angler CVE-2013-2551 Angler CVE-2013-0634 Himan EK 2013-2551 in many Neutrino Neutrino Neutrino Fiesta Fiesta CVE-2010-0188 Fiesta CVE-2013-0634 Nuclear Flashpack Flashpack CK CK CK CK Zuponcic Kore

http://blog.trendmicro.com/trendlabs-security-intelligence/styxexploit-pack-how-it-works/ http://malware.dontneedcoffee.com/2013/11/inside-the-simdaaffiliate-podmena.html http://malforsec.blogspot.com/2013/04/styx-exploit-kitanalysis-building.html https://twitter.com/kafeine/status/382544788664221696 http://eternal-todo.com/blog/styx-exploit-kit-simda http://malware.dontneedcoffee.com/2013/11/cve-2013-0074silverlight-integrates.html http://malware.dontneedcoffee.com/2013/11/cve-2013-2551and-exploit-kits.html http://malware.dontneedcoffee.com/2013/03/cve-2013-0634adobe-flash-player.html http://malware.dontneedcoffee.com/2013/10/HiMan.html http://malware.dontneedcoffee.com/2013/11/cve-2013-2551and-exploit-kits.html?q=neutrino http://malware.dontneedcoffee.com/2013/09/jre7u21-andearlier-click-2-play.html?q=neutrino http://malware.dontneedcoffee.com/2013/08/cve-2013-2465integrating-exploit-kits.html?q=neutrino http://malforsec.blogspot.com/2013/09/neutrino-exploit-kit-notso-exploity.html http://malware.dontneedcoffee.com/search?q=Fiesta http://malware.dontneedcoffee.com/2013/07/urausyransomware-07-y-2013-design.html?q=Fiesta http://malware.dontneedcoffee.com/2013/03/cve-2013-0634adobe-flash-player.html?q=Fiesta https://blog.avast.com/tag/exploit-kit/ http://malware.dontneedcoffee.com/2013/04/meet-safe-packv20-again.html http://malware.dontneedcoffee.com/2013/11/cve-2013-2551and-exploit-kits.html http://www.cysecta.com/2013/12/16/ck-exploit-kit-in-late-2013/ http://www.cysecta.com/2013/04/14/the-ck-exploit-kit-netbooms-metamorphosis/ CK http://www.kahusecurity.com/2013/deobfuscating-the-ckexploit-kit/ http://www.cysecta.com/2013/05/22/ck-exploit-kit-in-early2013/ http://blog.fox-it.com/2013/12/19/not-quite-the-averageexploit-kit-zuponcic/ http://www.kahusecurity.com/2013/kore-exploit-kit/

09-'13 11-'13 04-'13 09-'13 10-'13 11-'13 11-'13 03-'13 10-'13 11-'13 09-'13 08-'13 09-'13 01-'14 08-'13 03-'13 11-'13 04-'13 11-'13 12-'13 04-'13 09-'13 05-'13 12-'13 07-'13

http://malware.dontneedcoffee.com/2013/08/cve-2013-2465integrating-exploit-kits.html 08-'13 http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft. html 09-'13 Sakura http://malware.dontneedcoffee.com/2013/09/jre7u21Sakura and-earlier-click-2-play.html 09-'13 http://malware.dontneedcoffee.com/2013/08/cve-2013-2465Sakura integrating-exploit-kits.html?q=sakura 08-'13 http://malware.dontneedcoffee.com/2013/08/cve-2013-2465Cool EK (Kore-ish) integrating-exploit-kits.html 08-'13 Topic http://www.malwaresigs.com/2013/05/31/topic-exploit-kit/ 05-'13 http://malware.dontneedcoffee.com/2013/08/cve-2013-2465Glazunov integrating-exploit-kits.html 08-'13 Rawin http://pastebin.com/KU70Mkth 08-'13 White Lotus http://archive.is/N2YwZ 11-'13 http://webcache.googleusercontent.com/search?q=cache:http: //comments.gmane.org/gmane.comp.security.ids.snort. White Lotus CVE-2013-2551 emerging-sigs/20321 11-'13 http://malware.dontneedcoffee.com/2013/08/cve-2013-2465Sweet Orange CVE-2013-2471 integrating-exploit-kits.html 08-'13 http://www.cysecta.com/2013/03/30/the-last-net-boom-exploitNetboom packs/ 03-'13 http://malware.dontneedcoffee.com/2013/04/cve-2013-2423Sibhost integrating-exploit-kits.html?q=sibhost 04-'13 http://malware.dontneedcoffee.com/2013/09/jre7u21-andKore CVE-2013-2460 earlier-click-2-play.html 09-'13 Kore Exploit Kit in action (CVE-2013-2423) http://www.youtube.com/watch?v=_NvOR-Wm2s0 08-'13 http://blogs.technet.com/b/mmpc/archive/2013/05/07/cve2012-1876-recent-update-to-the-cool-exploit-kit-landing-page. Cool EK aspx 05-'13 http://www.youtube.com/watch? Nuclear 3 v=6RFHMEZTA1k&list=PLhQcVYGWsmtBuswBbQNH2xwqhc-kVwuzf&index=4 07-'13 Fiesta http://malware-traffic-analysis.net/2014/01/01/index.html 01-'13 http://malware.dontneedcoffee.com/2013/04/cve-2013-2423StampEK CVE-2013-2423 integrating-exploit-kits.html?q=Stamp 04-'13 http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft. Grandsoft CVE-2013-0422 html?q=Stamp 09-'13 http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft. Grandsoft CVE-2013-2463 html?q=Stamp 09-'13 http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft. Grandsoft CVE-2013-0188 html?q=Stamp 09-'13 http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft. Grandsoft CVE-2011-3544 html?q=Stamp 09-'13 Topic http://www.malwaresigs.com/2013/05/31/topic-exploit-kit/ 05-'13 http://malware.dontneedcoffee.com/2013/04/cve-2013-2423Sweet Orange CVE-2013-2423 integrating-exploit-kits.html?q=sweet+orange 04-'13 http://malware.dontneedcoffee.com/2013/11/cve-2013-0074Fiesta silverlight-integrates.html?q=fiesta 01-'14 x2o http://malware.dontneedcoffee.com/search?q=x2o 08-'13 Redkit http://www.kahusecurity.com/2014/the-resurrection-of-redkit/ 01-'14 http://malforsec.blogspot.com/2013/12/merry-christmasGondad / Gong da cve-2013-3897 gondad-style.html 12-'12 http://nakedsecurity.sophos.com/2012/11/16/blackholeBlackhole copycats and versions confusion-custom-builds-or-copycats/ http://malware.dontneedcoffee.com/2014/01/cve-2013-3918Nuclear CVE-2013-3918 integrates-exploit-kits.html 01-'14 Crimeboss https://twitter.com/TimoHirvonen/status/385849185376808960 10-'13 x2o (Redkit Light) Grandsoft

Legend Black - Francois Paget Red - Gunther Blue - Mila Green - L0NGC47 Purple - Fibon

CVE

slang/shorthand Exploit via / (CLICK ON filetype / CELLS 2 SEE product TEXT)

Exploit Description

Pack Release Date CVE-20000495 CVE-20030111 CVE-20041043 CVE-20040549 CVE-20040636 CVE-20040380 CVE-20052127 CVE-20052265 CVE-20050055 CVE-20060003 CVE-20060003/20064704 CVE-20060005 CVE-20061359 CVE-20063643 CVE-20063677 CVE-20063730 CVE-20064704 CVE-20064777 CVE-20064868 CVE-20065559 CVE-20065650 CVE-20065745 CVE-20065820 CVE-20066884 CVE-20070015 CVE-20070018 CVE-20070024 CVE-20070038 CVE-20070071 CVE-20072222 CVE-20070243 CVE-20073147/3148 CVE-20074034 CVE-20074336 CVE-20075327 CVE-20075659/20080655 CVE-20075755 CVE-20075779 CVE-20076250 CVE-20080015 CVE-20080624 CVE-20081309 CVE-20081472 CVE-20082463 CVE-20082992 CVE-20083008 CVE-20084844 CVE-20085178 CVE-20085353 CVE-20090075/0076 CVE-20090355 CVE-20090836 CVE-20090927 CVE-20091136 CVE-20091148 CVE-20091149 CVE-20091150 CVE-20091151 CVE-20091538 CVE-20091671 CVE-20091862 CVE-20091869 CVE-20092477 CVE-20093269 CVE-20093867

MS WME

AOL Instant Messenger

Zero ( Merry Black Phoenix Open Eleonore EleoNore EleonoreEleonore1.4.4 Eleonore Eleonore PhoenixPhoenix PhoenixPhoenix PhoenixPhoenixPhoenixFragusFragus Christmas hole 2.8 Source LinuQ 1.6.5 1.6.4 1.6.3a Mod 1.4.1 1.3.2 2.7 2.5 2.4 2.3 2.2 2.1 2.0 Black 1 PEK v2. 1.0.0 mini kit 3 mod mod?)

12-'1109-'1104-'1108-'1005-'11? 02-'11 02-'11

07-'09

0? -'10

07-'10

2011 07-'0902-'11? 08-'11 07-'11 07-'11 06-'11 old

YES YES

IE

MS IE _ MSHTML IE6

AOL

AOL _ Instant Messenger goaway Overflow MS OUTLOOK EXPRESS MHTML URL Processing Vulnerability COM Object Instantation Memory Corruption (Msdssdll) FIREFOX MOZILLA NETSCAPE MFSA2005-50 - Firefox Install VersioncompareTo IE 5.01, 5.5, and 6 DHTML Method Heap Memory Corruption Vulnerability MS06-014 for lE6/Microsoft Data Access Components (MDAC) Remote Code Execution

FF

IE IE MS WMP

YES YES YES YES

YES

YES

YES

YES

YES

YES

YES

YES

Internet Explorer COM CreateObject Code Execution MS06-006 - Windows Media Player plug-in vulverabiIity for Firefox & Opera

YES

YES

YES

YES

YES

YES

YES

YES

YES

?

MS06-013 - CreateTextRange Microsoft Management Console (MMC) Redirect CrossSite Scripting (XSS) vulnerability (IE) Firefox -js navigator Object Code

YES

YES

YES YES

YES

YES

NO

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES YES YES

YES

YES

NO

YES

YES YES

YES

YES

YES

YES

YES

YES YES

YES

Javad0—JRECalendar Java Deserialize

YES

YES

IE 7

MS09-002 - lE7 Memory Corruption Firefox Components/sessionstore/src/nsSessionStore.js

YES

YES

FIREFOX PDF ADOBE/FOXIT

JAVA GSB JAVA Sun Java JRE AWT SetDiff ICM Buffer Overflow JAVA

CVE-20093958

download mgr

NOS Microsystems

YES

YES

YES

YES YES

YES

YES YES YES

YES

YES YES YES

YES

YES

YES

YES

YES YES YES NO Removed YES YES

YES YES YES

YES YES YES

YES

YES

YES

YES YES

YES

YES

optional optional YES

YES

NORemoved YES YES YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES YES YES

YES

YES YES YES

YES

YES

YES

YES YES YES

YES

YES

YES YES

NO

YES YES YES

YES

YES YES

YES

YES YES YES

YES

YES

YES

YES YES YES

NO removed YES

YES

YES

YES

YES

YES

YES

YES YES YES/Generator

YES

YES

YES YES YES

YES YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES YES YES

YES

YES

YES

YES

YES YES YES

YES YES YES

YES YES

YES

YES YES YES

YES

YES

YES YES YES

YES YES

YES YES

YES

YES

YES

YES

YES

YES YES

YES

YES YES YES

YES

YES

YES YES YES

YES

YES YES

YES

YES

YES

YES

YES

YES YES

YES

YES YES

YES YES

YES YES

YES (?) YES (?) YES (?) YES YES

YES YES

YES YES YES

Firefox - Font tags | Firefox 3.5 escape() Return Value Memory Corruption

YES

Telnet for Opera Th3270

YES

Sun Java JRE AWT SetDiff ICM Buffer Overflow buffer overflows in the NOS Microsystems getPlus Helper ActiveX control before 1.6.2.49 in gp.ocx in the Download Manager in Adobe Reader and Acrobat

YES

YES

Adobe Reader - Foxit Reader PDF OPEN

Java Runtime Env. getSoundBank Stack BOF

YES YES

YES

firefoxdiffer

CVE-20093869

YES

YES

IE7 MEMCOR

SWF

YES

YES

YES

Flash 10 SWF Mozilla FF 3.5 Exploit / font tags | FF escape retval FIREFOX TELNET - for OPERA 9.0 9.25 or OPERA OPERA

YES

YES YES YES

YES

Static code injection vulnerability in setup.php MS09-028 Microsoft DirectShow Remote Code Execution. Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll Memory corruption via a crafted Flash application in a .pdf file or a crafted .swf file (authplay.dll) Integer overflow in the AVM2 abcFile parser in Adobe Flash Player

YES

YES

YES

Heap-based buffer overflow in Opera 9.62

JAVA

YES

YES YES YES

Internet Explorer 7 XML Exploit

QUICKTIME

YES

YES

Windows Media Encoder Buffer Overrun Vulnerability

PHPMYADMIN

YES

YES

YES

IE 7

CRLF injection vulnerability Multiple cross-site scripting (XSS) vulnerabilities in the export page

YES

YES

MS WME

PHPMYADMIN

YES

YES

YES YES

Opera 9.62 OPERA JAVA JRE / Javad0 / Javado / Java Calendar / javaold/JavaSr0 JAVA

PHPMYADMIN

YES

YES YES YES

PDF Exploit• util.printf

Directory traversal vuln in bs_disp_as_mime_type.php

YES

YES YES

PDF

PHPMYADMIN

YES

YES

YES

IE - MSACCESS M508-041 - MS Access Snapshot Viewer

IE

YES

YES

YES

util.printf

spreadsheet PMA phpmyadmin PMA phpmyadmin PMA phpmyadmin PMA phpmyadmin

YES

YES

AOL Radio AmpX Buffer Overflow Buffer overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3.dll 1.0.0.12 in Gretech Online Movie Player (GOM Player) AOL Radio AmpX (AOLMediaPlaybackControl) ActiveX control vulnerability

PDF Exploit- collab.getlcon MSO9-043 - lE OWC Spreadsheet ActiveX control Memory Corruption

YES

YES

YES

YES

PDF

YES

YES

m_Cor_n / MS Office Snapshot/IE snapshot or activexbundle

PDFOPEN PDF collab. getIcon / pdf-gi

YES

YES YES YES

DirectX - DirectTransform FlashPix ActiveX (IE) CA BrightStor ARCserve Backup Multiple VulnerabiIities

BrightStor ARCserve Backup R11.5

YES

YES

DirectX

ARCSERVE

YES YES

YES

Java GIF file parsing vulnerability

REAL PLAYER

YES YES YES

YES

YES

ACTIVEX

YES

YES

Integer overflow in Adobe Flash Player 9 IE -buffer overflows in the (1) ActiveListen (Xlisten.dll) and (2) ActiveVoice (Xvoice.dll) speech controls

MS09-032 DirectX DirectShow (IE) Buffer overflow in the YMP Datagrid ActiveX control (datagrid.dll) in Yahoo! JukeBox RealPlayer ActiveX Control Console Property Memory Corruption

YES YES

YES YES

YES

IE6/IE7 DSHOW IE

YES

YES

Yahoo! Widgets YDP (IE)

AOL

YES

YES YES

YES

Yahoo! Messenger Webcam (IE)

ACTIVEX

YES YES YES

YES

Vector Markup Language Vulnerability (IE) Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow

PDF Exploit -collab, collectEmaillnfo

YES

YES

YAHOO

AOL

YES

YES

YAHOO

collab, collectEmaillnfo PDF

YES

YES

Apple QuickTime RTSP URI (lE) NCTsoft NCTAudioFile2 ActiveX Control Remote Buffer Overflow Vulnerability

ARCSERVE

YES YES

YES YES

QUICKTIME

IE

YES

YES

YES

JAVA GIF PARSE JAVA

YES

YES

Winzip FileView ActiveX (IE)

SWF

YES YES

YES

WINZIP

IE

YES

YES

AOL

FLASH 9

YES

YES

YES

Windows ANI LoadAniIcon

YES

YES

Microsoft XML Core Services Vulnerability AOL SuperBuddy ActiveX Control LinkSBlcons() Vulnerability

IE

YES

YES YES

WebViewFolderlcon (IE) Cross-zone scripting vulnerability in the WMI Object Broker (WMIScriptUtils.WMIObjectBroker2) DirectAnimation ActiveX Controls Memory Corruption Vulnerability MSO6-055 - Windows Vector Markup Language IE + OUTLOOK Vulnerability MS07-009- lE6/Microsoft Data Access Components IE (MDAC) Remote Code Execution America Online ICQ ActiveX Control Arbitrary File AOL Download and Execute

NCTsoft

YES YES YES

YES

MS VSTUDIO

IE

YES?

YES

IE

iexml

40360 05-'10 05-'10 09-'09 09-'09 06-'0902-'0909-'09

YES

IE

AOL

2010 2010 07-'1005-'1004-'1003-'10

YES

Firefox Jno / JNO FF

DirectX

05-'1105-'11 03-'112010 01-'11 08-'11

Unique Impassioned YES Liberty Pack Liberty EL Framework Salo Exploit 2.1.0 JustExploit ZopackiPack IcepackMpackWebattack Sploit 1.0.7 Fiiesta 1.0 3.0RC * 2.1

MS IE _ MSOS-001 HTML vulnerabilities

IE

IE6 MDAC America Online ICQ ActiveX

Open "Dloader" BleedingBleeding SEO Zombie Best mushroom Crimepack Crimepack Crimepack Crimepack T- Tornado Siberia BombaPapka Source Robopak ? Katrin Life Life DragonNuclear Sploit Infection Lupit Pack unkNOwn 3.1.3 3.0 2.2.8 2.2.1 Iframer(Incomplete) /MetaPack UkNOwnname 3.0 2.0 pack kit

IE

IE

WMI Object Broker

Sava / Pay0C

MS VM

IE

IE COM CreateObject FF EMBED / MS06-006

Black hole 1.1.0

YES

IE

mdac

Black hole 1.2.0

MS WME Malformed Windows Media Encoder Request MS VM M503-O11 - ByteCode Verifier component flaw in Microsoft VM

MS OUTLOOK

FF CompareTo

Black hole 1.2.1

YES

YES

YES

YES

YES

YES

YES

YES

YES YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES ?

YES NO removed YES

YES

YES

YES

YES

YES

YES YES

YES

YES YES YES

NO

YES YES YES

YES

YES YES

YES

YES YES

YES (temp off) YES YES

YES

YES

CVE-20094324 CVE-20100188 CVE-20100249 CVE-20100094 CVE-20100483 CVE-20100806 CVE-20100805

PDF mediaNewPlayer / pdf-mp PDF PDF Libtiff / Lib

PDF

Aurora

IE

javarmi JAVA IE Winhlp32.exe MsgBox IE

CVE-20100840

IEPeers msiemc IE IE Tabular Data Control ActiveX IE JAVA TC (?) javagetval OBE Java invoke / Java Trust JAVA

CVE-20100842

JAVA MIDI Java OBE

CVE-20100886

JAVA SMB / JAVA JDT JAVA

CVE-20101240 CVE-20101297 CVE-20101423 CVE-20101818 CVE-20101885 CVE-20102883 CVE-20102884 CVE-20103552 CVE-20103653 CVE-20103654 CVE-20103962 CVE-20103971 CVE-20104452 OSVDB61964

PDFOPEN

PDF

PDF SWF

SWF

javanew JWS

JAVA

QuickTime 6.x, 7.x

QUICKTIME

hcp PDF FONT / Cooltype

CVE-20110611 CVE-20111255 CVE-20112110 CVE-20112140 CVE-20112462 CVE-20113521 CVE-20113544 CVE-20120003 CVE-20120507

MS HCP PDF PDF

JAVA SKYLINE

JAVA SHOCKWAVE

FlashPlayer Button

SWF

CSS Clip

IE

IE-8 css parser Java Codebase Trust

IE

AOL

AOL

EDB-11175 Java Signed Applet CVE-20110558 CVE-20110559

JAVA

JAVA

MS WMP Signed Applet Social Engineering Code Exec

JAVA

Flash <10.2

SWF

Flash 10 by exm SWF

PDF Exploit - docmedianewPlayer PDF Exploit - LibTiff Integer Overflow se-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 Java Runtime Environment component in Oracle Java SE Internet Explorer Winhlp32.exe MsgBox Code Execution IEPeers Remote Code Execution IE7 Unitialized Memory Corruption Internet Explorer Tabular Data Control ActiveX Memory Corruption

Microsoft Office document with an embedded .swf file IE Time Element Memory Corruption

SWF

Flash memory corruption June - 2011

SWF

Flash memory corruption August-2011

PDF

U3D onject memory corruption December 2011

JAVA

Type confusion vulnerability in Oracle Java Update 27

Java Rhino

JAVA

WMP MIDI

MS WMP

Vulnerability in the Rhino Script Engine vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP)

Java Atomic "Java JSM"

JAVA JAVA JAVA - SWF

YES YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

NO

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES (added)

YES

YES YES

YES

YES YES YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES YES

YES

YES

YES

YES

YES YES

YES

YES

YES

YES

YES

YES

YES YES

YES

YES

YES

YES

NO

YES YES YES

YES

YES

YES

YES YES YES

YES

YES

YES

YES

YES YES

YES YES

YES YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES YES

YES

YES

YES YES (?)

YES

YES?

YES

YES

YES

YES

YES?

YES

YES

YES YES

YES

YES

YES

YES

YES YES

YES

(YES either this or CVE2009-1869)

YES

YES

maybe means JMS CVE-2010-4438 ? unpecified Java and Flash

YES ? at least 3 4? YES

8+

10

Price Exploit Description

YES YES

YES

incl.expired "zero-day"exploit generators unspecified old IE exploits (Salo pack is rare and old) unspecified IE-"0day"

Number of exploits included

CVE

YES

YES

www.metasploit. com/modules/exploit/multi/browser/java_signed_applet Integer overflow in Adobe Flash Player before 10.2.152.26 Denial of service (memory corruption) via crafted parameters

IE

YES

YES

YES

Help Center URL Validation Vulnerability YES PDF Exploit Adobe Reader Stack-based buffer overflow in CoolType.dll Adobe authplay.dll ActionScript AVM2 memory corruption Vulnerability – Adobe Reader < 9.4.0 – ALL Windows Unspecified vulnerability in the New Java Plug-in – Java 6 < Update 22 – IE Only – ALL Windows NO The Director module (dirapi.dll) in Adobe Shockwave Player memory corruption and application crash via crafted SWF content October 2010. mem cor Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 Use-after-free vulnerability in the CSharedStyleSheet:: Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll Sun Java Applet2ClassLoader Remote Code Execution Exploit AOL 9.5 Phobos.Playlist (Phobos.dll) ActiveX Control Import Windows Media Player 11 ActiveX launchURL() files download

SWF -OFC

slang/shorthand (CLICK ON CELLS 2 SEE TEXT)

YES

Adobe PDF SWF Java Deployment Toolkit Remote Argument Injection Vulnerability (Taviso) QuickTime 6.x, 7.x Read function in QTPlugin.ocx allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute

IE 6-8

IE IE IE

YES

Generator

Trusted Method Chaining - Java getValue Remote Code Execution NO Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an uncontrolled array index that allows remote attackers to execute arbitrary code via a MIDI file with a crafted MixerSequencer object, related to the GM_Song structure. YES Java SMB / Java JDT in Oracle Java SE and Java for Business JDK and JRE 6 Upd 10-19 * Requires xtra components NO Open/Launch embedded exe via built in functionality, ability to change user prompt text. Reported by Didier Stevens.

Flash 10

PDF U3D

YES YES

Black hole 1.2.1

Black hole 1.2.0

9 10 1500 $1500/year Black hole 1.1.0

11

9

10 15/16

$2,000 $2,000

6

12

7

12

15 15/16 15/16

14

10

14

14

10

62

16

4 25+/-

$2,200

Zero ( Merry Black Phoenix Open Eleonore EleoNore EleonoreEleonore1.4.4 Eleonore Eleonore PhoenixPhoenix PhoenixPhoenix PhoenixPhoenixPhoenixFragusFragus Christmas hole 2.8 Source LinuQ 1.6.5 1.6.4 1.6.3a Mod 1.4.1 1.3.2 2.7 2.5 2.4 2.3 2.2 2.1 2.0 Black 1 PEK v2. 1.0.0 mini kit 3 mod mod?)

Sava / Pay0C

Need to confirm list of CVE here

8

6

8

12

12

9 8 12 10 $150 250/800$ rent /$500-wk/month wk/mo $25/day $1,000

8

8

9

15

14

16

16

7

10

7

11

12

6

10

7

7

4

4

12

9

6

7

$900

Open "Dloader" BleedingBleeding SEO Zombie Best mushroom Crimepack Crimepack Crimepack Crimepack T- Tornado Siberia BombaPapka Source Robopak ? Katrin Life Life DragonNuclear Sploit Infection Lupit Pack unkNOwn 3.1.3 3.0 2.2.8 2.2.1 Iframer(Incomplete) /MetaPack UkNOwnname 3.0 2.0 pack kit

Unique Impassioned YES Liberty Pack Liberty EL Framework Salo Exploit 2.1.0 JustExploit ZopackiPack IcepackMpackWebattack Sploit 1.0.7 Fiiesta 1.0 3.0RC * 2.1

"No Name" Best Pack Blackhole Exploit kit Bleeding Life Bomba Cool CRIMEPACK Dragon CritXPack EL Fiiesta Eleonore Fragus Black Gong Da Grandsoft Hierarchy Exploit Pack Icepack Impassioned Framework 1.0 Incognito iPack JustExploit Katrin Liberty LinuQ Lupit Merry Christmas Mpack mushroom /unknown Neosploit Nuclear Nucsoft Neutrino Open Source /MetaPack Papka Phoenix Redkit Dloader ? Red Dot Robopak Safe Pack

Sakura Exploit Pack Salo

Sava / Pay0C SEO Sploit pack Siberia SofosFO aka Stamp EK Siberia Private Sweet Orange T-Iframer Techno Tornado Uknownname Unique Pack Sploit 2.1 Webattack Whitehole XPack Yang Pack Yes Exploit Zero Zhi Zhu Zombie Infection kit Zopack LightsOut

This sheet shows colors indicating original contributors. The table grew large and is more confusing and hard to read. This page (v. 16, 2012) will stay as is for historical reasons -for the credits and reference. In the future, please see the References tab for the pack information contributions. I want to thank you all for helping and sending information. Black - Francois Paget Red - Gunther Blue - Mila CVE

slang/shorthand (CLICK ON CELLS 2 SEE TEXT)

CVE-2000-0495 CVE-2003-O111 CVE-2004-1043 CVE-2004-0549 CVE-2004-0636 CVE-2004-0380 CVE-2005-2127 CVE-2005-2265 CVE-2005-0055 CVE-2006-0003 CVE-2006-0003/20064704 CVE-2006-0005 CVE-2006-1359

Gong Da

F

MSHTML IE6

Yes

Yes

MFSA2005-50 - Firefox Install VersioncompareTo

FLASH 9

Integer overflow in Adobe Flash Player 9 IE -buffer overflows in the (1) ActiveListen (Xlisten.dll) and (2) ActiveVoice (Xvoice.dll) speech controls

JAVA GIF PARSE

Java GIF file parsing vulnerability

Yes

Yes

Yes

Yes

Yes

Yes

Yes

no

Yes

Yes

Yes

Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

?

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

?

Yes

PDF Exploit• util.printf

Yes

?

Yes

?

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes Yes

Yes Yes

Yes Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes Yes Yes

Yes Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

no

Yes

Yes Yes

NoRemoved Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes Yes Yes Yes Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes Yes

Yes Yes

Yes

Yes Yes

Yes Yes Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes No Removed Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

optionaloptionalYes Yes Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes

Yes

Yes

Yes Yes

Yes

Yes

Yes Yes Yes Yes

Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No Yes

Yes Yes

Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes

Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

yes

Javad0—JRECalendar Java Deserialize MS09-002 - lE7 Memory Corruption

?

firefoxdiffer

Firefox - Components/sessionstore/src/nsSessionStore.js

PDFOPEN PDF collab.getIcon / pdf-gi

Adobe Reader - Foxit Reader PDF OPEN

No removed Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes

Yes

Yes

Yes

PDF Exploit- collab.getlcon

Yes

?

Yes

?

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes Yes

Yes Yes

Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes Yes

Yes

Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

yes

Yes

Yes

Yes

Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll Memory corruption via a crafted Flash application in a .pdf file or a crafted .swf file (authplay.dll)

Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes no

Yes Yes

Yes

Yes

Yes

PDF Exploit - LibTiff Integer Overflow se-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 Java Runtime Environment component in Oracle Java SE

IEPeers msiemc IE Tabular Data Control ActiveX

IEPeers Remote Code Execution IE7 Unitialized Memory Corruption

yes

No removed Yes

Yes Yes

Yes Yes

Yes Yes

Yes

Yes

Yes

QuickTime 6.x, 7.x hcp

Help Center URL Validation Vulnerability

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes (one file w rhino)

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes (added)

Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

no

no

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

no

no

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes

Yes Yes

Yes

Yes Yes

Yes

Yes

Yes

Yes

yes

Yes Yes Yes

Yes

Yes

Yes Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

yes

Yes

Yes

Yes

no

no

Yes

Yes

Yes

Yes

Yes

?

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes

memory corruption and application crash via crafted SWF content October 2010. mem cor Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll

Java Codebase Trust

Sun Java Applet2ClassLoader Remote Code Execution Exploit

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes?

Yes

Yes

Yes

Yes?

Yes

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes

AOL 9.5 Phobos.Playlist (Phobos.dll) ActiveX Control Import Windows Media Player 11 ActiveX launchURL() files download

Yes

Signed Applet Social Engineering Code Exec

www.metasploit.com/modules/exploit/multi/browser/java_signed_applet

Flash <10.2

Integer overflow in Adobe Flash Player before 10.2.152.26

Flash 10 by exm

enial of service (memory corruption) via crafted parameters

CVE-2011-0611

Flash 10

Microsoft Office document with an embedded .swf file

CVE-2011-1255 CVE-2011-2110 CVE-2011-2140 CVE-2011-2462 CVE-2011-3521 CVE-2011-3544

IE 6-8

IE Time Element Memory Corruption

CVE-2012-0003 CVE-2012-0507

WMP MIDI

Yes Yes

Yes

Flash memory corruption August-2011

Yes Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

(Yes either this or CVE20091869)

Yes

Yes Yes

Type confusion vulnerability in Oracle Java Update 27

Yes

Yes

Yes

Yes Yes Yes

U3D onject memory corruption December 2011 Vulnerability in the Rhino Script Engine vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP)

Yes Yes

Yes Yes Yes

Flash memory corruption June - 2011

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

Java Atomic maybe means JMS CVE-2010-4438 ?

Yes

unpecified Java and Flash

?

at least 3

incl.expired "zero-day"exploit generators

4?

unspecified old IE exploits (Salo pack is rare and old)

Yes

unspecified IE-"0day"

Number of exploits included

3

Pack Release date/update

03-2012

8 5

4?

$900 ZhuZhu

9 9

032010 02-2012 2012 2010 2012

Price Description

Yes (temp off)

Yes

Yes

yes

Yes

Yes

Yes

Yes (?)

IE-8 css parser

Yes

No

Yes

The Director module (dirapi.dll) in Adobe Shockwave Player CSS Clip

Yes

Yes

Yes

PDF FONT / Cooltype PDF Exploit Adobe Reader Stack-based buffer overflow in CoolType.dll Adobe authplay.dll ActionScript AVM2 memory corruption Vulnerability – Adobe Reader < 9.4.0 – ALL Windows Unspecified vulnerability in the New Java Plug-in – Java 6 < Update 22 – IE Only – ALL JAVA SKYLINE Windows FlashPlayer Button

Yes

Yes ? Yes

Yes

Internet Explorer Tabular Data Control ActiveX Memory Corruption

Java Deployment Toolkit Remote Argument Injection Vulnerability (Taviso) QuickTime 6.x, 7.x Read function in QTPlugin.ocx allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute

Yes

Yes

Yes

Yes Yes

Generator

JAVA TC (?) javagetval OBE Java invoke / Java Trust Trusted Method Chaining - Java getValue Remote Code Execution Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an uncontrolled array index that allows remote attackers to execute arbitrary code via a MIDI file with a JAVA MIDI Java OBE crafted MixerSequencer object, related to the GM_Song structure. Java SMB / Java JDT in Oracle Java SE and Java for Business JDK and JRE 6 Upd 10-19 * JAVA SMB / JAVA JDT Requires xtra components Open/Launch embedded exe via built in functionality, ability to change user prompt PDFOPEN text. Reported by Didier Stevens. javanew JWS

yes

Yes Yes Yes

Adobe PDF SWF

Yes

Yes

Yes

Yes

Yes

Internet Explorer Winhlp32.exe MsgBox Code Execution

PDF SWF

Yes

Yes

Yes

Sun Java JRE AWT SetDiff ICM Buffer Overflow buffer overflows in the NOS Microsystems getPlus Helper ActiveX control before download mgr 1.6.2.49 in gp.ocx in the Download Manager in Adobe Reader and Acrobat PDF mediaNewPlayer / pdf-mp PDF Exploit - docmedianewPlayer

javarmi IE Winhlp32.exe MsgBox

yes

Yes Yes

Yes

Yes

Yes

Java Runtime Env. getSoundBank Stack BOF

Aurora

Yes

Yes

Yes

Telnet for Opera Th3270

PDF Libtiff / Lib

Yes

Yes (?) Yes (?) Yes (?) Yes

Static code injection vulnerability in setup.php

"Java JSM"

Yes

Yes/Generator

Yes

MS09-028 Microsoft DirectShow Remote Code Execution.

slang/shorthand

Yes

Yes

Yes

CVE-2010-3971 CVE-2010-4452 OSVDB-61964 EDB-11175

CVE

Yes

Yes

M508-041 - MS Access Snapshot Viewer

Heap-based buffer overflow in Opera 9.62

Java Rhino

Yes

Yes

Yes

MS09-032 DirectX DirectShow (IE)

Internet Explorer 7 XML Exploit

PDF U3D

Yes

Yes Yes Yes Yes Yes Yes

Windows Media Encoder Buffer Overrun Vulnerability

AOL

Yes

yes

Yes

Yes

AOL Radio AmpX Buffer Overflow Buffer overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3. dll 1.0.0.12 in Gretech Online Movie Player (GOM Player)

Opera 9.62 JAVA JRE / Javad0 / Javado / Java Calendar / javaold/JavaSr0

JAVA GSB Sun Java JRE AWT SetDiff ICM Buffer Overflow

Yes

Yes

PDF Exploit -collab, collectEmaillnfo

iexml

PMA phpmyadmin

Yes

Yes

Yes Yes

BrightStor ARCserve Backup R11.5

IE7 MEMCOR in IE7 MS09-002

Yes

Yes

Yes Yes

RealPlayer ActiveX Control Console Property Memory Corruption

util.printf

Yes

Yes

Buffer overflow in the YMP Datagrid ActiveX control (datagrid.dll) in Yahoo! JukeBox

m_Cor_n / MS Office Snapshot/IE snapshot or activexbundle

Yes

Yes Yes

Yes

AOL Radio AmpX (AOLMediaPlaybackControl) ActiveX control vulnerability IE6/IE7 DSHOW

Yes

Yes ?

CA BrightStor ARCserve Backup Multiple VulnerabiIities

AOL

Yes Yes Yes

Yes

DirectX - DirectTransform FlashPix ActiveX (IE)

CVE-2010-3962

Java Signed Applet CVE-2011-0558 CVE-2011-0559

Yes

Yahoo! Widgets YDP (IE)

collab, collectEmaillnfo

TELNET - for OPERA 9.0 - 9.25 or OPERA

CVE-2010-3552 CVE-2010-3653 CVE-2010-3654

Yes

Yes

CVE-2009-3269

CVE-2010-2884

Yes

Yahoo! Messenger Webcam (IE) DirectX

Yes Liberty Liberty EL Exploit JustExploit Zopack iPack Icepack Mpack Webattack 2.1.0* 1.0.7 Fiiesta 3.0RC

Yes

CVE-2009-2477

CVE-2010-1818 CVE-2010-1885 CVE-2010-2883

Yes

Yes

Flash 10 Integer overflow in the AVM2 abcFile parser in Adobe Flash Player Mozilla FF 3.5 Exploit / font tags | FF escape retval Firefox - Font tags | Firefox 3.5 escape() Return Value Memory Corruption

CVE-2010-1240 CVE-2010-1297 CVE-2010-1423

Yes

Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow

Multiple cross-site scripting (XSS) vulnerabilities in the export page

CVE-2010-0886

Yes

Vector Markup Language Vulnerability (IE)

CRLF injection vulnerability

CVE-2010-0842

Yes

Apple QuickTime RTSP URI (lE)

PMA phpmyadmin

CVE-2010-0840

Yes

NCTsoft NCTAudioFile2 ActiveX Control Remote Buffer Overflow Vulnerability

PMA phpmyadmin

CVE-2010-0805

Yes

Winzip FileView ActiveX (IE)

CVE-2009-1150 CVE-2009-1151 CVE-2009-1538 CVE-2009-1671

CVE-2010-0483 CVE-2010-0806

Yes

AOL SuperBuddy ActiveX Control LinkSBlcons() Vulnerability

CVE-2009-1149

CVE-2010-0249 CVE-2010-0094

Yes

America Online ICQ ActiveX Control Arbitrary File Download and Execute

Directory traversal vuln in bs_disp_as_mime_type.php

CVE-2009-4324 CVE-2010-0188

Yes

Microsoft XML Core Services Vulnerability

MSO9-043 - lE OWC Spreadsheet ActiveX control Memory Corruption

CVE-2009-3958

Yes

MSO6-055 - Windows Vector Markup Language Vulnerability

PMA phpmyadmin

CVE-2009-3869

Yes

MS07-009- lE6/Microsoft Data Access Components (MDAC) Remote Code Execution

spreadsheet

CVE-2009-3867

Yes

Yes

CVE-2009-1148

CVE-2009-1862 CVE-2009-1869

Yes

DirectAnimation ActiveX Controls Memory Corruption Vulnerability

CVE-2008-1472

CVE-2009-0927 CVE-2009-1136

Yes

Yes

MS06-013 - CreateTextRange Microsoft Management Console (MMC) Redirect Cross-Site Scripting (XSS) vulnerability (IE)

CVE-2008-1309

CVE-2009-0075/0076 CVE-2009-0355 CVE-2009-0836

Yes

IE COM CreateObject Internet Explorer COM CreateObject Code Execution FF EMBED / MS06006 MS06-006 - Windows Media Player plug-in vulverabiIity for Firefox & Opera

Windows ANI LoadAniIcon

Unique Impassioned Pack Framework Salo Sploit 1.0 2.1

Yes Yes

Yes

MS06-014 for lE6/Microsoft Data Access Components (MDAC) Remote Code Execution

WMI Object Broker

CVE-2008-5353

Yes

IE 5.01, 5.5, and 6 DHTML Method Heap Memory Corruption Vulnerability

IE6 MDAC America Online ICQ ActiveX

Open "Dloader" SEO Zombie mushroom Bleeding Bleeding CRIMEPACK CRIMEPACK CRIMEPACK CRIMEPACK TTornado Bomba Papka Source Robopak ? Katrin Sploit Infection Lupit /unknown Life 3.0 Life 2.0 3.1.3 3.0 2.2.8 2.2.1 Iframer (Incomplete) /MetaPack Uknownname pack kit

Yes Yes Yes

Yes?

COM Object Instantation Memory Corruption (Msdssdll)

mdac

Best Pack

Yes

MHTML URL Processing Vulnerability FF CompareTo

Sava / Pay0C

Yes

CVE-2006-4704 CVE-2006-4777 CVE-2006-4868 CVE-2006-5559

CVE-2008-2463 CVE-2008-2992 CVE-2008-3008 CVE-2008-4844 CVE-2008-5178

Zero Merry Hierarchy (perhaps Fragus Fragus Christmas Exploit Open LinuQ Black 1 PEK v2.3 Pack Source mod kit mod)

AOL Instant Messenger goaway Overflow

WebViewFolderlcon (IE) Cross-zone scripting vulnerability in the WMI Object Broker (WMIScriptUtils. WMIObjectBroker2)

CVE-2007-5779 CVE-2007-6250 CVE-2008-0015 CVE-2008-0624

Siberia

MSOS-OO1 HTML vulnerabilities AOL Instant Messenger

Firefox -js navigator Object Code

CVE-2007-5755

Siberia Private

Yes Yes Yes

Firefox Jno / JNO

CVE-2007-2222 CVE-2007-0243 CVE-2007-3147/3148 CVE-2007-4034 CVE-2007-4336 CVE-2007-5327 CVE-2007-5659/20080655

Techno XPack

Malformed Windows Media Encoder Request

CVE-2006-3677 CVE-2006-3730

CVE-2007-0038 CVE-2007-0071

BlackholeBlackholeBlackholeBlackholeBlackholeSakura Phoenix Eleonore Phoenix Phoenix Phoenix Phoenix Phoenix Phoenix Phoenix Exploit Exploit Exploit Exploit Exploit Exploit EleonoreEleonoreEleonoreEleonore Eleonore Eleonore "Yang 2.8 1.4.4 2.7 2.5 2.4 2.3 2.2 2.1 2.0 kit kit kit kit kit Pack 1.8.91 1.6.5 1.6.4 1.6.3a 1.4.1 1.3.2 Pack" mini Moded 1.2.3 1.2.1 1.2.0 1.1.0 1.0.0 1.0

M503-O11 - ByteCode Verifier component flaw in Microsoft VM

CVE-2006-3643

CVE-2006-5650 CVE-2006-5745 CVE-2006-5820 CVE-2006-6884 CVE-2007-0015 CVE-2007-0018 CVE-2007-0024

Dragon Nuclear Incognito Phoenix Zhi Zhu Nuclear Incognito pack v.2 v.2 3.1

Dragon

ZhuZhu

8

Feb-11

14

Mar-12

$900

nuclear Incognito Phoenix nuclear Incognito 2 2 3.1

7

12

15 15/16 15/16 07-y, October 2010 $2,200

14

10 before07-y 2010

14 10

8+

10

9

10

Dec'11 Dec'11 Sep'11 apr'11 Aug'10 Jan'12 1-2K 1500 /mo $1500/year rent

4

14

11

9

10 15/16

May'11?40585 40585

6

40299

12 4 8 Dec162009 Jan'12 Jan'12

6 10

10

Jan'12

old

Jan'12

14

2011

10

62

07-09 Feb'11?

16

4 25+/-

aug-11 07-'11 07-'11

8

8

Jun11

12

9

8

12

10

MayJan11 May-11 Mar201140513 2011

8

15 14 16 16 07y, May, Apr, Mar, 2010 2010 2010 2010

7

?

10

40360

7

11

May- May10 10

12

10

7

7

Sep09 sep'0907--09

6

Feb09

Sep09

4

4

12

9

6

7

$150 /$500- 250/800$ rent wk/monthwk/mo $25/day $1,000

$2,000 $2,000

BlackholeBlackholeBlackholeBlackholeBlackhole Phoenix Sakura Eleonore Phoenix Phoenix Phoenix Phoenix Phoenix Phoenix Phoenix Exploit Exploit Exploit Exploit Exploit EleonoreEleonoreEleonoreEleonore Eleonore Eleonore "Yang 2.8 Exploit 1.4.4 2.7 2.5 2.4 2.3 2.2 2.1 2.0 kit kit kit kit kit 1.8.91 1.6.5 1.6.3a 1.6.3a 1.4.1 1.3.2 Pack" mini Kit Moded 1.2.3 1.2.1 1.2.0 1.1.0 1.0.0

12

Techno XPack

Siberia Private

Siberia

Hierarchy Fragus Fragus Exploit Black 1 Pack

Zero

Merry Christmas LinuQ PEK v2.3 mod Need to confirm list of CVE here

Sava / Pay0C

Best Pack

Bomba papka

Open Dloader SEO Zombie Source mushroom Bleeding Bleeding CRIMEPACK CRIMEPACK CRIMEPACK CRIMEPACK TTornado Robopak or ? Katrin Sploit Infection Lupit /Metasploit /unknown Life 3.0 Life 2.0 3.1.3 3.0 2.2.8 2.2.1 Iframer (Incomplete) uknownname pack kit Pack

Unique Impassioned Pack Framework Salo Sploit 1.0 2.1

Yes Liberty LIBERTY EL Exploit JUSTEXPLOIT ZOPACKiPACK ICEPACKMPACK WEBATTACKER 2.1.0* 1.0.7 FIESTA 3.0RC