Tuesday, October 5, 2010

Phoenix Exploit Kit (2.4) - Infection Analysis


Phoenix exploit kit is one of the best Browser Exploit Pack (BEP) in the market nowadays. Looking at the pace of development, it seems like we are going to see plethora of advancements in this BEP. In this post , we are aiming to disclose some of the findings and reviews about the latest Phoenix BEP version 2.4. Primarily, we will be talking about the following metrics in detail to discuss the impact of this BEP.

1. Exploitation Success Rate (ESR).
2. Loader Infection Success Rate (LISR).

The most critical part of testing BEP's is to determine the success rate of loading a bot or executable once the target is exploited in real time environment. This metric is quite important because number of browser exploit packs suffer from huge loss in loading activity even after the exploitation. However, many times it has been noticed that most of the statistics provided by BEP's claiming the fact that infection rate based on ESR to be thousands of machines. But the installation rate is very less. Based on our analysis, we are raising a point on the effectiveness of BEP. If the exploitation rate is high it means the BEP has to be robust enough to perform the successful installs.

A generic experiment was conducted on some of the samples of Phoenix Exploit Kit 2.x - 2.4 in a controlled environment to detect the possible rates of infection. The output is presented as follows

[1] Browser Exploitation Rate (BER)
Microsoft Internet Explorer (IE6+IE7+IE8) - 25%
Firefox (All Versions) - 17% - 22%

[2] Operating Systems Exploitation Rate (OSER)
Windows XP : 25% - 30%
Windows Vista : 18% - 22%
Windows 7 : 5% - 8%

[3] Traffic Infection Rate (TIR)
Mixed Traffic Rate (Hard+Generic) = 70% - 80%

[4] Loader Infection Success Rate (LISR)
Loader Installation Rate after exploitation - 90%

This gives us an indication about the exploitation ratios of browsers and operating systems. Windows 7 shows less vulnerable because of the protection mechanisms developed in it. Phoenix BEP converts 70%-80% of traffic to be infected. As it has been discussed above, the loader installation loss is quite less as compared to other BEP's. We can consider the fact of firewalls and other possible scenarios where security mechanisms can reduce the loader installation rate to 10%-15%.However, considering the stats the rate is still high.

Note: The infection rate varies depending on the rate of traffic but the overall stats remain the same.

With the release of version 2.4 we will be encountering following exploits and codes

Added JAVA TC (privilege escalation) which works instead of JAVA DE-SERIALIZE and JAVA GSB exploits.It breaks JRE/JDK 1.5.0-1.5.0_23 and 1.6.0-1.6.0_18 on Win XP/VISTA/7.

Added QUICKTIME exploit for QUICKTIME PLAYER v. 7.6.6-7.6.7 on Win XP for IE 6/7/8.

Added PDF FONT exploit for ADOBE READER 9.3.1-9.3.4 on Win XP/VISTA/7. Vulnerability is not patched yet!

(Hitting Anti Viruses Hard) Random file-names of BEP structure.


(Stealth Technique) Link Encryption in JAVA exploit.


Phoenix 2.4 has shown good advancements. So overall this exploit pack is building really good codes to dismantle the web.