2012-10-18 - Evolution

Stamp EK (aka SofosFO) now showing "Blackhole 2.0 Like" landing pages

<edit4 2013-09-09> This Exploit Kit is GrandSoft : Readmore</edit4>
A short/fast post to answer some questions I got after my tweet about that :

<edit1 28/10/12> Have been told by Paul that the browser exploit pack i am referring here is not Neosploit. As I have no name to put on that, I will use arbitrarily : Stamp EK (Edit2: have been informed that Emerging Threats is calling it : SofosFO, cf link and credits at the end ) . If anyone use another name for that, please contact me.

I mainly based my naming on : http://urlquery.net/report.php?id=198525

URLQuery report on this Stamp EK. False positive for NeoSploit

</edit1>
~~NeoSploit~~ Stamp EK landings before :

Stamp EK Landings Before

(almost nothing to see in these wepawet links)
http://wepawet.iseclab.org/view.php?hash=44beb1c3517679fec5157bf174b4e6b8&type=js
http://wepawet.iseclab.org/view.php?hash=6fcf397047639cced72c257c866b1f35&type=js
http://wepawet.iseclab.org/view.php?hash=02a91cc362f6b1f10b22ffe63d08b49a&type=js

Now :

Stamp EK Landings Now - "BH EK2.0 Like"

Plugin detect, dictionnary words separated by - and _
Note: as you see I got .htm and .php landings.

(not that much to see in these wepawet links)
http://wepawet.iseclab.org/view.php?hash=7fd1cd73934b179abc97de80afca51d5&type=js
http://wepawet.iseclab.org/view.php?hash=28391ab9e9e281ebeb2316f1428eb8eb&type=js
http://wepawet.iseclab.org/view.php?hash=253137b7ba90eb0425b026c9893d79b8&type=js

For those who wants, Fiddler sessions here :
http://goo.gl/5sEpY (Mega)

If you have information on what I called Stamp EK...please contact me.
<edit2 01/11/12>
Chris Wakelin told me that they name it : SofosFO at Emerging Threats and told me why.
Read:
Sophos sucks? Being insulted by malware authors can be the best reward - Fraser Howard - 2012-08-24 - Naked Security (Sophos)
</edit2>

<edit4 2013-03-12>
SofosFO seems to be a good name (even if we sometimes see some : onecareFO or others) :

"Dear Sofos, xyle tebe nado? Ya ne ponimayu. Otebis please ot nas! ThankYou"

SofosFO/Stamp EK landing 2013-03-11

</edit4>

Want to read about NeoSploit ? (will leave links here but NeoSploit/Fiesta is NOT SofosFO/StampEK)
<edit3 24/02/13> Note : NeoSploit is in fact Fiesta.

NeoSploit = Fiesta
Credits : Kahu Security/Fox-it.com

</edit3>

NeoSploit serving two exploits - Paul - 2012-09-11 - Demon117 Security
Neosploit Gets Java 0-Day - Darryl - 2012-09-01 - Kahu Security
Neosploit is Back! - Darryl - 2011-11-26 - Kahu Security
NeoSploit is not dead - Paul - 2012-09-12 - Demon117 Security
Shedding Light on the NeoSploit Exploit Kit - Daniel Chechik - 2011-01- M86 Security Labs
Some Notes about NeoSploit - 2010-06-04 - Fireeye

Post Publication Reading :
Finally, here is.... GrandSoft - 2013-09-09
Ransomware Spam Pages on Github, Sourceforge, Others - Chris Boyd - 2013-02-07 - GFI