The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.
The authors of Fragus stick to this formula, but in addition have employed the use of a legitimate software protection tool known as ionCube PHP Encoder to protect their code. The additional features of ionCube PHP Encoder not only allow the Fragus authors to protect their code, but also to control its usage and protect their revenue stream from the pack. Because the pack sells for $800 USD, this is not small change. In the past, once an exploit kit was sold, the revenue stream dried up unless the author was releasing some kind of update for the pack. Or, worst-case scenario it would become publicly available on the Web for anyone to download for free. Some features of ionCube PHP Encoder that guard against this are:
• Restricting files to run on a particular combination of IP addresses and/or server names.
This means that when the authors of Fragus sell the exploit kit they can essentially hardwire it to only run on agreed IP addresses or domain names. This means that if the buyer wants to change the IP address or domain name that the Fragus kit is running on at a later date, they will have to once again go back and update their copy of Fragus from the authors or middlemen.
• Generating files to expire on a given date or after a certain time period.
This allows the authors of the Fragus exploit kit to essentially rent the kit out for a period of time. Once the given expiration date has passed on the file, the Fragus exploit kit will no longer be useable, thereby forcing the user to purchase a new or updated copy of the Fragus exploit kit (if required).
Symantec has observed both of these techniques in use by the Fragus exploit kit hosted on the domain ‘Vertigoinvasion.com’. It seems that the Fragus exploit pack was rented to this site for the period of September and October 2009. We were also able to view the statistics page for two separate campaigns that seem to have individually targeted Germany and Spain and were run from this domain. In both campaigns the final payload was detected by Symantec as Infostealer.Banker.C, which is a Symantec detection name for Zeus. As can be seen in the statistic pages (figures 2 & 3) below, over 50,000 systems in total visited the Fragus exploit kit hosted on this domain and over 16,700 were successfully exploited.
The Fragus exploit kit is available in both English and Russian. One final tidbit is that it also comes with a utility for crypting iframes to be placed on attacking websites.
Symantec proactively had AV and IPS detection in place for the exploits used in this pack. The Fragus exploit pack will be detected by Symantec IPS as ‘HTTP Fragus Toolkit Activity’ or ‘HTTP Fragus Toolkit Java Class Activity’.
Note: Special thanks to Cathal Mullaney for his help with the research and development of this blog article.