2012-10-18 - Evolution

Stamp EK (aka SofosFO) now showing "Blackhole 2.0 Like" landing pages

<edit4 2013-09-09> This Exploit Kit is GrandSoft : Readmore</edit4>
A short/fast post to answer some questions I got after my tweet about that :

<edit1 28/10/12> Have been told by Paul that the browser exploit pack i am referring here is not Neosploit. As I have no name to put on that, I will use arbitrarily : Stamp EK (Edit2: have been informed that Emerging Threats is calling it : SofosFO, cf link and credits at the end ) . If anyone use another name for that, please contact me.

I mainly based my naming on : http://urlquery.net/report.php?id=198525
URLQuery report on this Stamp EK. False positive for NeoSploit

NeoSploit Stamp EK landings before :

Stamp EK Landings Before

(almost nothing to see in these wepawet links)

Now :
Stamp EK Landings Now - "BH EK2.0 Like"

Plugin detect, dictionnary words separated by - and _
Note: as you see I got .htm and .php landings.

(not that much to see in these wepawet links)

For those who wants, Fiddler sessions here  :
http://goo.gl/5sEpY (Mega)

If you have information on what I called Stamp EK...please contact me.
<edit2 01/11/12>
Chris Wakelin told me that they name it : SofosFO at Emerging Threats and told me why.
Sophos sucks? Being insulted by malware authors can be the best reward - Fraser Howard - 2012-08-24 - Naked Security (Sophos)

<edit4 2013-03-12>
SofosFO seems to be a good name (even if we sometimes see some : onecareFO or others) :

"Dear Sofos, xyle tebe nado? Ya ne ponimayu. Otebis please ot nas! ThankYou"
SofosFO/Stamp EK landing 2013-03-11

Want to read about NeoSploit ? (will leave links here but NeoSploit/Fiesta is NOT SofosFO/StampEK)
<edit3 24/02/13> Note : NeoSploit is in fact Fiesta.
NeoSploit = Fiesta
Credits : Kahu Security/Fox-it.com

NeoSploit serving two exploits - Paul - 2012-09-11 - Demon117 Security
Neosploit Gets Java 0-Day - Darryl - 2012-09-01 - Kahu Security
Neosploit is Back! - Darryl - 2011-11-26 - Kahu Security
NeoSploit is not dead  - Paul - 2012-09-12 - Demon117 Security
Shedding Light on the NeoSploit Exploit Kit - Daniel Chechik - 2011-01- M86 Security Labs
Some Notes about NeoSploit - 2010-06-04 - Fireeye

Post Publication Reading :
Finally, here is.... GrandSoft - 2013-09-09
Ransomware Spam Pages on Github, Sourceforge, Others - Chris Boyd - 2013-02-07 - GFI