The Phoenix Exploit Kit is now available in version 2.5 in the cybercrime underground.
Exploit kits are but one of the various tools cybercriminals use for DIY Cybercrime. The Phoenix Exploit Kit is a good example of exploit packs used to exploit vulnerable software on the computers of unsuspecting Internet users. Often, cybercriminals drive traffic to the exploit kit by compromising legitimate sites and by inserting iframes that point to the exploit kit or by poisoning search engine results that take users to the exploit kit.
When users land on a page injected with the exploit kit, it detects the user’s Web browser and OS version then attempts to exploit either the browser or a browser plug-in. The latest version of the Phoenix Exploit Kit currently has payloads for nine different system configurations, including:
- XPIE7: Internet Explorer 7 and either Windows XP, Windows XP SP2, or Windows 2003
- VISTAIE7: Internet Explorer 7 and Windows Vista
- XPIE8: Internet Explorer 8 and either Windows XP, Windows XP SP2, or Windows 2003
- VISTAIE8: Internet Explorer 8 and Windows Vista
- IE: Versions of Internet Explorer that are not IE7 or IE8
- WIN7IE: Internet Explorer and Windows 7
- XPOTHER: Browsers other than Internet Explorer on Windows XP, Windows XP SP2, or Windows 2003
- VISTAOTHER: Browsers other than Internet Explorer on Windows Vista
- WIN7OTHER: Browsers other than Internet Explorer on Windows 7
Once users are directed to a payload page, the kit attempts to exploit vulnerabilities in versions of Adobe Acrobat Reader, Adobe Flash Player, Internet Explorer, and Java.
Java has become the leading exploit vector for a variety of exploit packs. In fact, Phoenix Exploit Kit 2.5 has been updated to include three additional Java exploits, namely:
- JAVA RMI
- JAVA MIDI
- JAVA SKYLINE
The administration panel of Phoenix Exploit Kit 2.5 contains an option to switch modes, which changes the Java exploit delivered to users. It allows the administrator to choose from among TC (CVE-2010-0840), RMI, or MIDI. This indicates that exploits for Java have become very attractive to malware distributors.
By targeting a wide variety of configurations, Phoenix Exploit Kit 2.5 attempts to maximize its ability to compromise Internet users. If the first exploit fails, it targets another vulnerable application on the user’s computer. As such, users are advised to always ensure that the applications installed on their computers are kept up-to-date so they can avoid possible exploit attacks.