I'm working on finding more about NeoSploit in past research from various sources and seeing how it correlates to what I've found and other more advanced researchers have found.
Major sources for research from the past have been:
FireEye - http://blog.fireeye.com/research/2010/06/neosploit_notes.html
M86 - http://labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit/
RSA - http://blogs.rsa.com/rsafarl/the-end-of-neosploit/
It looks like NeoSploit was pronounced dead, and from the original versions there seems to be some activity on the web still. I've read a bit about it (not a source of knowledge by any means) from Sites (not just the links) above.
Sources for my current research:
Zscaler -
It appears that one of the Security Researchers for Zscaler, in their India office, has been interacting with this pack.
Emerging Threats -
ET has had a signature to catch the URI query activity since late June. SID 2013094 has been revised a few times to catch this. Thanks for sharing what you guys have seen and helped others to catch this stuff.
I will be sending out a request on twitter to try to collaborate more on this using the SID as a linker. As well as requesting collaboration directly to the contributors on the ET list.
A possible clue/key to better correlation on what is going on with the pack. So I've been working on this blog for a few weeks and trying to find patterns in these interactions. Something struck me as Very interesting when I checked the stats page of the blog and saw a Google search for the keyword "ea0gux4t" showed up.
I actually stumbled on this when I started the blog but didn't put enough attention towards it. Now looking back I see that was an interesting way of getting matches and seeing what the responses send... I still don't have a way of looking at the requests.
The Subdirectory - is fixed length and definitely seems to be a point of relation between various installs of the kit on domains.
I'm stuck right now though, the majority of my notes/research is on a box that lost a NIC in the storm last week. I'll get that up and running again so I can get more information out here.
-Paul
@demon117
No comments:
Post a Comment