A short/fast post to answer some questions I got after my tweet about that :
<edit1 28/10/12> Have been told by Paul that the browser exploit pack i am referring here is not Neosploit. As I have no name to put on that, I will use arbitrarily : Stamp EK (Edit2: have been informed that Emerging Threats is calling it : SofosFO, cf link and credits at the end ) . If anyone use another name for that, please contact me.
I mainly based my naming on : http://urlquery.net/report.php?id=198525
|URLQuery report on this Stamp EK. False positive for NeoSploit|
|Stamp EK Landings Before|
(almost nothing to see in these wepawet links)
|Stamp EK Landings Now - "BH EK2.0 Like"|
Plugin detect, dictionnary words separated by - and _
Note: as you see I got .htm and .php landings.
(not that much to see in these wepawet links)
For those who wants, Fiddler sessions here :
If you have information on what I called Stamp EK...please contact me.
Chris Wakelin told me that they name it : SofosFO at Emerging Threats and told me why.
Sophos sucks? Being insulted by malware authors can be the best reward - Fraser Howard - 2012-08-24 - Naked Security (Sophos)
SofosFO seems to be a good name (even if we sometimes see some : onecareFO or others) :
"Dear Sofos, xyle tebe nado? Ya ne ponimayu. Otebis please ot nas! ThankYou"
|SofosFO/Stamp EK landing 2013-03-11|
Want to read about NeoSploit ? (will leave links here but NeoSploit/Fiesta is NOT SofosFO/StampEK)
<edit3 24/02/13> Note : NeoSploit is in fact Fiesta.
|NeoSploit = Fiesta|
Credits : Kahu Security/Fox-it.com
NeoSploit serving two exploits - Paul - 2012-09-11 - Demon117 Security
Neosploit Gets Java 0-Day - Darryl - 2012-09-01 - Kahu Security
Neosploit is Back! - Darryl - 2011-11-26 - Kahu Security
NeoSploit is not dead - Paul - 2012-09-12 - Demon117 Security
Shedding Light on the NeoSploit Exploit Kit - Daniel Chechik - 2011-01- M86 Security Labs
Some Notes about NeoSploit - 2010-06-04 - Fireeye
Post Publication Reading :
Finally, here is.... GrandSoft - 2013-09-09
Ransomware Spam Pages on Github, Sourceforge, Others - Chris Boyd - 2013-02-07 - GFI