The Fragus Exploit Kit

Version imprimable, PDF et e-mail

Posted by: Barracuda Labs

Recently, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious URLs backed by what was found to be Fragus, a new exploit kit that appeared in late July 2009. An example of a Fragus URL and a screenshot of its admin control panel login page are shown directly below.



Fragus Admin Control Panel Login

As with most modern exploit kits, Fragus serves not one, but a grab bag of exploits that attack the browser, ActiveX controls, and third party plugins. Deobfuscating the javascript served off of the above URL revealed the following function names (bodies omitted), which each attempt to exploit one or more different vulnerabilities:

directshow(): Performs heap spraying, then serves hxxp://, which targets the Microsoft Video (DirectShow) ActiveX control vulnerability (a.k.a., MS09-032).

pdf(): Serves hxxp://, which targets Acrobat Reader vulnerabilities in util.printf, Collab.getIcon, and Collab.collectEmailInfo (a.k.a., CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659, respectively).

flash(): Serves hxxp://, which targets the Adobe Flash Player integer overflow vulnerability (a.k.a., CVE-2007-0071).

aolwinamp(): Performs heap spraying, then attempts to exploit the AOL Radio AmpX (AOLMediaPlaybackControl) ActiveX control vulnerability (a.k.a., CVE-2007-6250).

snapshot(): Targets the Microsoft Access Snapshot Viewer ActiveX control vulnerability (a.k.a., MS08-041) in an attempt to have hxxp:// executed.

spreadsheet(): Performs heap spraying, then attempts to exploit the Microsoft Office Web Components ActiveX control vulnerability (a.k.a., MS09-043).

ms09002(): Performs heap spraying, then attempts to exploit the Microsoft Internet Explorer 7 memory corruption vulnerability (a.k.a., MS09-002).

The above set of exploits motivates mention of two observations about the continuing evolution of the web threat landscape. First, given that Fragus targets vulnerabilities in at least seven different software components, viewing a given vulnerability as being more or less exploited than another is increasingly incompatible with the way in which it is used. Modern exploit kits will target any and all vulnerabilities that have a reasonable chance of successfully compromising a system, and unfortunately, the presence of just one vulnerable, out-of-date software component is required for that compromise to occur. Second, as one of the above vulnerabilities (MS09-043) is less than a month old, the length of time between the discovery of a vulnerability and its widespread use by criminals is shrinking. The creators of malware infrastructure are now rapidly integrating recently-discovered vulnerabilities into do-it-yourself exploit kits, and security companies must be increasingly quick to respond.

Users of the PWSS are protected from this threat.

Remonter en haut de page