Under the nickname "Angelolog" hides its author. A nickname striking since according to their semantics, refers to "a branch of theology that deals with the study of angels". A rather obvious contradiction.
Домен: ANGELOLOG-HIERARCHY.RU
Владелец: Private Person
DNS-сервер: ns1.luckhost.kz.
DNS-сервер: ns2.luckhost.kz.
Телефон: +380933900884
E-mail: angelolog@mail.ru
Состояние: REGISTERED, DELEGATED, VERIFIED
Регистратор: REGRU-REG-RIPN
Создан: 2011.03.01
Оплачен до: 2012.03.01
Its structure is similar:
Hierarchy Exploit Pack contains the following exploits:
Office OCX
OpenWebFile Office OCX OpenWebFile arbitrary program execution BID-33243
MDAC
Arbitrary file download via the Microsoft Data Access Components (MDAC) CVE-2006-0003
AppStream LaunchObj
Symantec AppStream LaunchObj ActiveX control vulnerable to arbitrary code download and execution CVE-2008-4388
Hummingbird PerformUpdateAsync
Hummingbird Deployment Wizard ActiveX Control Insecure Methods (PerformUpdateAsync) CVE-2008-4728
Peachtree ExecutePreferredApplication
Peachtree insecure ExecutePreferredApplication method allows the execution of arbitrary programs CVE-2008-4699
C6 propDownloadUrl
C6 Messenger insecure method propDownloadUrl allows the execution of arbitrary programs CVE-2008-2551
Adobe getIcon
Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object CVE-2009-0927
Adobe Libtiff
Libtiff integer overflow in Adobe Reader and Acrobat CVE-2010-0188
HPC URL
Help Center URL Validation Vulnerability CVE-2010-1885
IE iepeers.dll
Internet Explorer iepeers.dll use-after-free CVE-2010-0806
Sun Java Runtime RMIConnectionImpl
Privileged Context Remote Code Execution Vulnerability CVE-2010-0094
Sun Java Runtime Environment MixerSequencer
Invalid Array Index Remote Code Execution Vulnerability CVE-2010-0842
AFP Server Mac OS X v10.6.5
Remote attacker AFP Server to unexpectedly shutdown CVE-2010-1297
Sun Java Web Start BasicServiceImpl
Remote Code Execution Vulnerability CVE-2010-3563
Adobe Flash Player 10.2.153.1
SWF Memory Corruption Vulnerability CVE-2011-0611
Oracle Java SE
Rhino Script Engine Remote Code Execution Vulnerability CVE-2011-3544
It also incorporates the following malware:
payload.ser [F6795195968795C535EF6932A843E969] – 16/42
Exploit$1.class [625B6B915327D352E437B34D85FB67E2] – 1/44
Exploit$1.class [DD49FADD9372CBDEF709BB9F0B1105C7] – 2/43
Link.class [3013C223A80371BCA0798E1C21683305] – 11/44
Exploit.class [77E8E1CFCC6F0894015D8CA271BBBEF5] – 12/43
BasicServiceExploit.class [A63C9DB17FE7F60370B4FFD659B61B36] – 3/43
Exploit$1$1.class [21F2312A9D50F72810E242F72E751243] – 1/43
swf.swf [6EFD1CE8DC61C68BAD3B85A949709DD2] – 24/43
Exploit$.class [452CD049CE83E72F5C642F7457F4AA93] – 2/43
Gallery_Viewer.class [03497E41A5A5A6A6F92E2950AA087C06] – 8/44
Exploit.class [334EC1071B85D52A3DA4223ED7DC6D74] – 4/43
PayloadClassLoader.class [8563342ADD46F7EADC8745BB10267B2A] – 14/43
Gallery_Viewer.jar [1C73218F0CAF238400EB86E635862279] – 13/43
Gallery_Viewer.jar [2C4DF43924D237B56DB4096E6AF524B1] – 13/43
1.txt [CF7A4C337F3DA524350AC794B589F804] – 8/43
pdf.pdf [60CADBD724A6BF0527B5E731492D8A0F] – 16/43
Exploit.jar [69767793D644D6060A060133A6014CB9] – 21/42
1.exe [8321D8B973CE649252DF9C560B875647] – 9/43
Payload.class [EEB9BA7FB4F752E1249E696B638D4732] - 13/43
Exploit.jar [19A512A3CCBA3FCDEAA5262E82F0DECE] - 26/43
pdf5.pdf [2AD31CABE2527C5F94B2C351F6529F17] - 9/43
pdf4.pdf [48C583A82A004EC1B17688215E173EFB] - 11/43
swf.swf [4666A447105B483533B2BBD0AB316480] - 19/43
bot.exe [7AB9E8AC261D2A49D87EF304ADE03BA3] – 26/43
On the other hand, the level of detection in almost all cases is on average less than 50%, which represents a critical aspect of any information system. Thus, no matter it's a crimeware without much representation in the criminal environment without a lot of creativity and without effective exploitation rate for the offender, it remains a latent threat. Especially when experience shows that old exploits as MDAC described in CVE-2006-0003, have a strong impact even after nearly six years to fix the bug that was exploited.
Tags:
