Dec 29, 2010 18:18 GMT  ·  By

New versions of the Phoenix drive-by download kit employ special obfuscation and name randomization techniques in order to protect its installations from analysis by security researchers.

Along Eleonore, Phoenix is one of the most popular exploit kits used by cyber criminals to sillently infect users with malware over the Web.

These attacks, known as drive-by downloads, are usually launched from legit websites that have been compromised and injected with rogue code.

The code's purpose is to load the exploit pack landing page from a remote server. This contains scripts which determine the visitor's operating system and browser, as well as the installed version of popular applications like Adobe Reader, Flash Player or Java.

These checks are needed in order to select and serve the exploit that has most chances of success against the user's particular configuration.

"Like many exploit kits, this one is PHP-based but unlike most kits, the installer is actually obfuscated," writes Chris Astacio, a security analyst at Websense.

"This is probably an attempt by the developers to make it harder for security researchers to understand how to install the kits, especially if there is no 'readme.txt' file included," he adds.

However, in addition to the obfuscated installer, which is by no means impossible to reverse-engineer, the new Phoenix versions randomize the names of the generated pages.

These are the files uploaded by attackers on their servers and used for the toolkit's multiple functions, including displaying attack statistics.

Generating unique file names certainly makes it harder to researchers to try and hack into new Phoenix instances, especially if all they have is the original install script.

"We can see that the developers of Phoenix Exploit's Kit are working on not only protecting their exploit code from being recognized, but also their installations," Mr. Astacio concludes.