Thursday, October 31, 2013

Exploit kits, they sure do like to change ports

Since the arrest of Paunch, (the author of the Blackhole and Cool exploit kits, that I talked about in my last post), exploit kits are clamoring for who will be number one.  So I come with a status update of sorts, as of the writing of this blog post, Magnitude, aka, Popads seems to be winning.

This particular kit received a bunch of press recently since the php.net hack took place (read about some of it here), in which an embedded iframe was inserted onto php.net, pointing people to an instance of the Magnitude/Popads exploit kit.

Magnitude/Popads shares many characteristics with other exploit kit's patterns. How Blackhole at one time performed downloads, how Nuclear throws certain exploits, how HiMan delivers the IE vulnerability... but one thing that Magnitude does, and quite often, is switch the ports it runs on.

Over the past week, we've seen Magnitude/Popads run over ports:
56712
44440
51423
33300

(In case you want to search your outbound proxy or firewall logs).

So, with that in mind, I give you this:


No comments:

Post a Comment