[Michael]

Today I was looking at an interesting website and a drive-by-download associated to it.



The file is not a JPG... in fact it is an exploit script. I detail what it does in the diagram below:



The hacker has left its Apache/2.2.9 PHP/5.2.6 Server wide open! The IP is located in Hong Kong China and actually hosts two different domains (that are mirrors of each other).

Because the server is not protected, you can easily browse through its file repository and find all the exploit code in there. If you check the date, these exploits are fairly recent.



There is a nice PHP management page, called PHPSpy that allows you to update your exploits:



I downloaded all the files in that repository for a closer look.

Amongst them, an AVI file that exploits a vulnerability in Explorer. In my case it just crashed it and did nothing else. The exploit happens when you select the file and it tries to display its properties in the details pane.



DLL files compiled in C# that bear no doubt as to what their intent is (exploit Shellcode):



Heavily obfuscated html pages loaded with exploits:



Following the PHPSpy link  lead me to the Security Angel's website (in Chinese).

A quick translation reveals (more or less) what it's all about:



The "Security Angel team" has more exploits for grab:



It also has some tutorials and scripts for the newbies, such as this 'man in the middle' attack perl script:





I decided to analyze the main executable that these exploits push. It creates a service as well as injects a DLL file into System32.



A VirusTotal scan... the sample is detected but the descriptions are vague.



Security researchers interested in the actual location of the exploit server can contact me.

Jerome Segura