Phoenix Exploit Kit Lives On Despite Source Code Leak

Development of the Phoenix Exploit Kit continues despite the source code of the crimeware pack being leaked online a few weeks ago.

Back in April, the source code of Phoenix Exploit Kit 2.5 appeared online, prompting questions about the future of this dangerous cyber criminal tool.

Although not completely functional, as it required activation before being used, the leaked package did give competitors access to the bundled exploits.

According to security researchers from M86 Security, this doesn't seem to have bothered the kit's developers much as the crimeware was just updated to version 2.7.

"The changes between the two versions are minor, but still very important as most exploits become inefficient in the very short term, especially with the latest IE vulnerabilities," the researchers note.

The new toolkit features a new Java exploit for the JRE trusted method chaining remote code execution vulnerability (CVE-2010-0840). Other exploits that weren't very efficient got removed.

The new version contains no less than five PDF exploits for vulnerabilities in Adobe Reader, namely collab.collectEmailInfo (CVE-2007-5659), util.printf (CVE-2008-2992), collab.geticon (CVE-2009-0927), doc.media.newPlayer (CVE-2009-4324), and LibTIFF integer overflow (CVE-2010-0188).

Adobe's Flash Player is also targeted via exploits for two integer overflow vulnerabilities, one in the AVM2 abcFile parser (CVE-2009-1869) and one in another component (CVE-2007-0071).

The Windows Help and Support Center protocol handler vulnerability (CVE-2010-1885) remains a favorite for drive-by download toolkits and Phoenix is no different.

Finally, the kit also targets two Internet Explorer flaws, a IEPeers remote code execution (CVE-2009-0806) and a recursive CSS import vulnerability (CVE-2010-3971).

Drive-by download attacks are one of the most common methods of distributing malware today. These attacks are very dangerous and effective, because the infection process is completely transparent to the victims. The Phoenix Exploit Kit continues to remain one of the most popular drive-by download packs used by cyber criminals.