February 15, 2015 at 01:21RIG exploit kit source code leaked online
The source code for the exploit kit RIG exploit kit hit the net. As in the case with other similar leaks of the source code of malicious programs, they were put up for sale at one of the underground hacker forums, after which they were in the public domain. Exploit kits are special tools of attackers that are used to automatically install malware on users' computers through browser exploits or plug-ins for them.
Fig. RIG EK source tree.
Actually, the “set of exploits” itself is a special php control panel that organizes the management system for existing exploits, statistics on their use and provides hosting for malicious programs that will be downloaded to the user's computer and installed there. Its claimed features include the normal functioning (infection) of both 32-bit and 64-bit Windows, bypass of User Account Control (UAC) in exploits, the domains used by exploits can change, depending on their detection by AV scanners.
Version 2.0 has the following exploits in its arsenal:
Fig. The RIG EK function from the \ www \ manage \ p_exploits.php file, which is responsible for recording exploit usage statistics.
The abundant presence of comments in Russian in the source texts clearly hints at the origin of the RIG EK.
The source leak of RIG EK may lead to its use by other attackers, as well as the appearance of its new modifications with adaptation to deliver malware through more modern exploits. Typically, drive by download attacks are organized by attackers involving a particular set of exploits that provide a covert installation of malware.
Fig. RIG EK source tree.
Actually, the “set of exploits” itself is a special php control panel that organizes the management system for existing exploits, statistics on their use and provides hosting for malicious programs that will be downloaded to the user's computer and installed there. Its claimed features include the normal functioning (infection) of both 32-bit and 64-bit Windows, bypass of User Account Control (UAC) in exploits, the domains used by exploits can change, depending on their detection by AV scanners.
Version 2.0 has the following exploits in its arsenal:
- CVE-2012-0507 (Java)
- CVE-2013-0074 (Silverlight)
- CVE-2013-2465 (Java)
- CVE-2013-2551 (Internet Explorer 7-8-9)
- CVE-2013-0322 (Internet Explorer 10)
- CVE-2014-0497 (Flash Player)
- CVE-2014-0311 (Flash Player)
Fig. The RIG EK function from the \ www \ manage \ p_exploits.php file, which is responsible for recording exploit usage statistics.
The abundant presence of comments in Russian in the source texts clearly hints at the origin of the RIG EK.
The source leak of RIG EK may lead to its use by other attackers, as well as the appearance of its new modifications with adaptation to deliver malware through more modern exploits. Typically, drive by download attacks are organized by attackers involving a particular set of exploits that provide a covert installation of malware.