«
»

Yet Another Web Attack Toolkit –> Exploit Multipackage 0.2

Last week we received an email message written in German which advertised a casino called Lux Imperial Casino. However, this message was not just spam but also included a malicious link to a toolkit called Exploit Multipackage.

The URL infection, which is http://58.65.239.98/%5Bremoved%5D/index.php, allows a malicious user to analyse the system in search for vulnerabilities. If it finds any, a Trojan detected as Nabload.DBD will be installed in the computer. This Trojan, in turn, will download another one detected as Banker.KQS, which is designed to obtain confidential information related with banking entities.

We could access its control panel, which is hosted in Hong Kong. Although it has not been active for a long time, in the following images we can view the most affected operating systems and browsers. Other interesting data we can see is that the control panel is in Russian and the most affected country is Germany.

This control panel is similar to the Traffic Pro one, so it could be an evolution of this one. Last year, we published a complete report about this kit, which you can check here.

Click on this image to see correctly  Click on this image to see correctly

This is the list of vulnerabilities it attempts to exploit in the systems:

If you want to know more information about the exploited vulnerabilities and how to update the system in order to avoid them, visit the following websites:

Microsoft Security Bulletin MS03-011 [Flaw in Microsoft VM Could Enable System Compromise (816093)]

Microsoft Security Bulletin MS06-014 [Vulnerability in the Microsoft Data Access Components Function Could Allow Code Execution (911562)]

Microsoft Security Bulletin MS06-044 [Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)]

Microsoft Security Bulletin MS07-017 [Vulnerabilities in GDI Could Allow Remote Code Execution (925902)]

Microsoft Security Bulletin MS07-055 [Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)]

Yahoo! ActiveX GetFile () [Vulnerability in Yahoo! Messenger (8.1.0.421) CYFT FT60.DLL]

QuickTime ActiveX [QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow]

Thanks to Christian for his collaboration.

This entry was posted on February 25, 2008 at 8:59 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.