Friday, February 27, 2009

LuckySploit, the right hand of Zeus

LuckySploit is the name of a set of scripts (Toolkit) designed to exploit different vulnerabilities and allow execution of binaries on the computer a victim of an arbitrary manner.

Currently, these scripts are subjected to obfuscation, is being used by botnet Zeus to recruit zombies PCs through Drive-by-Download attack.

When accessing the website only displays a blank page, but to check its source code is a code written in JavaScript like this:

The script is encrypted with the RSA algorithm. This information is displayed at the end of the code.

Another interesting fact is that the script is displayed only once, ie, if you try to log back in to the same address, again to check the HTML source code, the script is no longer available.

Some of the domains that contain LuckySploit are reflected below:
r-state .com/ equi/
trafffive .cn/wait/ ?t=15
trafffive .cn/bm/ ?t=15
directlink9 .cn/wait/ ?t=15
directlink4 .cn/bm/ ?t=15
directlink2 .cn/wait/ ?t=15
directlink1 .cn/bm/ ?t=15
directlink0 .cn/wait/ ?t=15
superioradz .info/opis3/ ?t=2
superioradz .info/opis2/ ?t=2
rodexcom .org/parus/ ?t=5
dvlorg .net/parus/ ?t=25
top.sei-keine .com/u-store/ ?t=1
statclick .net/main/ ?t=1
deinglaube .com/ images/ tomi
federalreserve.banknetworks .net/bb/ ?t=2
fuadrenal .com/mito/ ?t=2
fuck-lady .com/prn/index .php
hello-to-you .net/rttz/ ?t=6

It's worth noting that many of these URL's are active, therefore if you decide to access any of it, keep in mind the safety measures appropriate to the case.

In some script clearly read at the end of a message that says:
attack_level = 0;;
try {
f = 'Welcome to LuckySploit:) \n ITS TOASTED';

In this way, Zeus is adhering to its network equipment malicious computer infected.

Related information:
Zeus botnet. Mass propagation of trojan. Part two - Spanish version
Zeus botnet. Mass propagation of trojan. Part one - Spanish version
Malware attack via Internet - Spanish version

# Jorge Mieres

No comments: