Here is an older version.  ALL the credit for this goes to the awesome guys at who seem to have no reservation about showing to the world the innovations and backends of these infrastructures of evil.

All of their reports can be found on their section on their website.

I will be attempt to add my spin to research and look for new angles,  Much of this will be reference material for building on further research.  Additionally the goal will be to capture as much code as possible and hosting it here Offensive Computing Style to further research and awareness.

This pack is called Multi Exploits Pack Version 3.1

NOTE:  Early on in order to avoid analysis, sophisticated IP access monitoring is being done to ensure that clients cannot connect to these sites multiple times.  Sounds like a good opportunity to identify any configuration settings that all unfettered access to IPs for adminstration.  If they are stupid enough to put something like that in there, its a good way to conduct attribution.


Here is the annoying thing.

Note the original posting in a forum to sell this puppy.  Malware authors need to be contacted somehow to sell their stuff.  NOTICE THE ICQ ID that for some reason was blurred by the Finjin report.




As you can see here there is a Targetable Identifier.  The ICQ number.  THANKS FINJIN for bluring it.  This information is useful to the community.  Maybe even possible Mob effects can take over for a little bit of Internet Justice.

This is a perfect target to identify the actors and Attribute them.  Law Enforcement should be beating down ICQ operators doors to get a real world Identity on these people, and force them to roll on their clients, better yet pay them to SNITCH or setup a STING.

Or just publish in underground channels that the Individual is now working for law enforcement.  Next thing you know this devious little reputation poisoning attack leads to a dead Russian programmer who turns up in an alley.

Eventually we will need to up the cost to these guys for doing the things they do.  Currently there is almost no risk to their operations.  We need to change that.  How,  by changing tactics…. and being ruthless.

Unique Pack –



NOTE: the possible author of the pack. 

Indication of author is not tantamount to owner of pack or operator of pack.

Most of these things are coded collaboratively from many authors and geographic locations.

For perspective this would be a true realization of the distruptive nature of open source software.

The only real intelligence value of these things are:

What unique identifiers are in the kits that could allow for detection.  See GOOGLE hacking.

["unique sheaf sploits" "Vparivatel" "All Vpars" "Totals/Loads"]

What language is used, can the implementation be exploited.

How can you pwn the server to monitor usage? Exploitable??

Are the operators stupid enough to connect directly or do they come in via proxied connections such as Tor?

WHERE is the DROP SITE?  Can we Trojan the drop site with a payload to track the movement of its data?

Can we poison Pill the data (via Cryptographic attack or assured destruction Secure delete) or the systems that use the data?

So one may ask your self, well anyone can host a page that has exploits.  But how do they manage the sheer scale and scope of the attacks we are seeing today.  The answer is through sophisticated Traffic Redirectors.

Here is an example of one.  It is called .  It provides for sophisticated reporting and statistics.  It basically monitors the traffic that is redirected based on a malicious IFrame placed on a compromised site.  The IFrame will then redirect to a exploit page.




Geographic origin of code

Language coded in: CGI possibly PERL

Black Market price range

Forums its marketed on: (Forums/IRC?)

Who the authors are?

Exploitable? TBD

Google identifier search strings.

Code derived from? Progeny.

How long its been in existence?

Number of Versions.

Apparently there are many many of these Traffic Redirector services and even for this traffic. 


I wanted to demonstrate the level of sophistication that is running the back end Command and Control servers for many of these web based usually p2p botnets.  Included are support contracts, fees for advanced services, reporting and sometimes the occasional backdoor! Duh.

As currently shown by the the following pack is now very popular..

, currently by many analysts to be at the head of the pack in terms of obfuscation and features.

The pack includes dynamically generated runtime creation of obfuscated Javascript in order to establish an encrypted communication session with the browser via asymmetric encryption.  The browser then sends its critical info such as user agent type, active x controls, plugins, and platform information.

Based on this exchange of information, the pack sends a crafted exploit JUST FOR THE VICTIM.  whee. How special.


Here is the admin page.



Get every new post delivered to your Inbox.