Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

August 12th, 2009

Exploit Pack as the way to infect!

Various exploit packs are getting very popular these days. Using them is easy way to infect thousands computers around the world.  Each exploit package is composed of several exploits (mostly actual vulnerabilities).  Sometimes it is single file which contains all the exploits. More often, each exploit is represented by a different file. This technique seems to be more successful for attack, because antivirus software may detect only part of the exploit pack. The rest of the pack which is still undetected may serve new malware to users. This article describes the structure and activities of one of the more complex exploit pack.

The pack I am writing about was discovered last week on many Chinese servers.  As I was writing above, avast! was detecting only part of it so the rest of the detections were released a while after its discovery. It is not really new exploit pack – just a new version of the previously used one. The new version means that creators changed it to achieve lower detection rate by all antivirus software.  Its complexity is very high as you can see in the next image – diagram:

Chinese Exploit Pack Diagram

Chinese Exploit Pack Diagram

This exploit pack contains nearly 40 files including redirectors, vulnerability testers, exploits and shellcodes. As image shows there are two damaged branches. One for PDF exploit (PDF file was damaged – cannot exploit as it cannot be loaded) and one probably for SWF exploit (404 error). Anyway there is still 11 exploits ready to attack. All of them are detected with avast! antivirus. It might be very interesting for the reader to see how other AV engines are dealing with this complex exploit pack. So I have prepared following image with nice colored table (hope you like it):

Detection rate over full Exploit Pack

Detection rate over full Exploit Pack

The table shows which file was detected by what antivirus. Last two columns contain detection rates on full pack and detection rates on exploit files.  I am leaving antivirus quality assessment up to the reader choice, but zero detection says everything. GData uses avast! engine in their multiengine scanner – that’s the reason why they are as good as we are.

All data for the table was gathered from virustotal and all the original reports are added to the end of the article to show I am not blaming you with faked results.  Let’s see: cqq0.htm (image)(link) |cqq2.css (image)(link) |cqq2s.css (image)(link) |cqqmp.htm (image)(link) |cqqskin.css (image)(link) |cry.css (image)(link) |dvd.js (image)(link) |ec1.htm (image)(link) |ec4.js (image)(link) |ecb.htm (image)(link) |ecbbb.htm (image)(link) |ecfff.js (image)(link) |ecffx.htm (image)(link) |ecfox.htm (image)(link) |ecfox.js (image)(link) |ecof.htm (image)(link) |evilr.htm (image)(link) |evilrr.js (image)(link) |fycry.htm (image)(link) |fydvd.htm (image)(link) |fylz.htm (image)(link) |fyr.htm (image)(link) |fyr1.js (image)(link) |fyre1.htm (image)(link) |google_ad.js (image)(link) |google_ads.js (image)(link) |google_adx.js (image)(link) |music.js (image)(link) |off.css (image)(link) |rr.js (image)(link) |sfpf.htm (image)(link) |show.jpg (image)(link) |shows.jpg (image)(link) |xxxxz.js (image)(link) |zz.js (image)(link) |

Categories: analyses, Virus Lab Tags:
  1. Andy
    August 13th, 2009 at 01:35 | #1

    Whoa, nice detection :) I just finished sending in a jpeg with a script in, hopefully you can add it to your deathlist.

    • August 13th, 2009 at 11:05 | #2

      Thank you. In fact, it does not matter what file extension is used – any file (containing script) will be loaded when it is targeted from script tag.

  2. sokovincent
    August 15th, 2009 at 19:22 | #3

    i just discovered some strange files on my drive c:\ and these file they are responsible for most virus these include patch.exe and other files with icons like multimedia files or help files with strange names which had a combination of numbers and letters, i tried to contact avast but my pc was slow in loading so i just had to forget.

  3. August 16th, 2009 at 11:21 | #4

    @sokovincent
    Welcome to the blog. This comments space is not a good area to discuss viral/trojan infection (it is usually long communication). Please go to http://forum.avast.com and ask our users community – there are very skilled guys who may help you. Or send email to support@avast.com (you will be contacted soon).

  4. August 17th, 2009 at 13:38 | #5

    Few comments based on what I’ve seen on Raymond.CC forums (they linked to this article)
    - the exploits detected here by avast! are real (verified) threats, they are not false positives
    - there’s a bit higher priority in detecting such exploits, because they can be off course used anywhere (not only in this complex bundle), but it is also good to detect the redirectors and similar stuff just to close all possible doors and provide a complex protection, if possible
    - the results are related to this exploit pack (and its derivates), no one says, that these AV engines, which reached a very poor detection rate here are poor at all (but as I wrote above – the exploits included here can be used very generically and when they are not detected by some AV, then you must hope that they will catch the payload).

  5. Matt Cox
    August 18th, 2009 at 03:03 | #6

    Good detection on Exploits….but Avast! is same on rogues?

    I see yesterday a test made by Malware Research Group, avast! Professional Edition Failed to block various rogues.

    Look test —> http://malwareresearchgroup.com/forum/viewtopic.php?f=20&t=80

    its true?

  6. August 18th, 2009 at 09:17 | #7

    @Matt Cox
    Mike from MRG wrote:

    “Other rogueware- which will perform the intended function, but are much less efficient than other real software. Sometimes these types are more dangerous because they will delete needed registry keys or remove false positives needed by your system. They are commonly found at many download sites and they usually keep their homepage updated with fake reviews to scam users. They are usually distributed by online ads and spam emails and can also be found in online search results.
    Most of their software including all files in the program folder (dll files) have digital signatures. These type of software have to be manually installed by the users, therefore are not considered to be malware by many security software vendors.”

    Not all of the missed “rogues” are critical. We know about a new variant of some rogue AV’s, which will be targeted by today’s VPS.

  7. August 18th, 2009 at 10:02 | #8

    @Matt Cox
    As Michal said – not all “rogues” are critical – my opinion is that there must be some misunderstanding. Half of the applications come from one! software producer (You may easily find it by searching on google). And the question is if some application might be flagged as rogue because its “less efficient than other real software” (What is real software? Photoshop/gimp for example. Ok then any other image/photo editor must be rogue because it is less efficient isn’t it?).

    For sure you may find “rogue software” definition on wiki – http://en.wikipedia.org/wiki/Rogue_software . Look at the section “Partial list of rogue security software” and compare that list with list of application used in the test. Why most of these real “rouges” are not included in the test?

Comments are closed.