Exploit kit dissected
Alex Rice of Websense Security Labs, dissected "Web-Attacker", one of the most popular exploit kits on the web. He recently got a hold of the source code and takes us step by step through it all. For those who do not know how Web-Attacker works, here's a brief scenario:
- User visits a compromised webpage containing a hidden iframe that loads go.php.
- go.php redirects to ie0609.cgi?homepage, which redirects to demo.php.
- Based on the value of the type parameter, ie0609.cgi returns the requested exploit. Each exploit differs but attempts the same action: execute the data downloaded from ie0609.cgi?exploit=<EXPLOIT_TYPE>.
- With the exploit parameter, ie0609.cgi returns the malicious binary to be executed. The attack is complete.
Be sure to check out the blog post and see how this simple, yet nasty little Perl script works.blog comments powered by Disqus