Best Pack

ScriptKiddieSec broke the news about a new exploit pack called “Best Pack”. Rumor has it that this is the successor of Dragon Pack. I still can’t find the original Dragon Pack so if there’s anyone willing to share, please send it to me!

Anyway, I was lucky to find this in the wild. Here is the obfuscated Javascript exploit code:

You can see at the top of the page that it calls two external JS files. The “pda.js” detects browser plug-ins. The “foo.js” file uses object oriented programming to execute the malicious code.

There may be others but this is the first pack I found in the wild that uses OOP in Javascript.

The Javascript at the bottom of the main page pulls in content from the various DIV containers, pieces them together, and converts them into hex. At the very end, the long string of hex characters are unescaped then eval’d.

One line of the code was particularly interesting which I never saw used before (note the use of the plus-sign at the beginning):

+wGuftEnZ.showName;

If I remove the plus-sign, the script doesn’t work! After doing some research, I found this article which describes this new calling method instead of doing it the regular way like so:

window.parseFloat(wGuftEnZ.showName.valueOf());

or just this:

wGuftEnZ.showName();

In this article, there was a sample script and many of its components were found in this exploit pack’s code.

Anyway back to the exploit script…

After you decrypt the script, you will end up with this:

There were nine major functions that would execute the various exploits. These functions are called up in reverse. From what I could make out, these are the exploits being used:

  • CVE-2011-0611 (Flash 10)
  • CVE-2010-0188 (LibTiff)
  • CVE-2010-0842 (Java Midi)
  • CVE-2010-0840 (Java Trust)
  • CVE-2010-0886 (Java SMB)
  • CVE-2010-3552 (Java Skylined
  • CVE-2008-2463 (IE Snapshot
  • CVE-2006-0003 (IE MDAC)

Here’s a screenshot of the panel (thanks again ScriptKiddieSec):

This exploit pack appears to be offered as a rental service for $25 per day.

Posted on: 06/15/2011