Lately, I have been feeling like a bit of a broken record, each week singing nearly the same tune. Well, this week is no exception. Neosploit has updated again. Starting on May 2, our honeypots again picked up an update to the omnipresent exploit kit.
This time, the update includes a new packer, apparently designed to restrict the unlicensed deployment of the exploit toolkit. The Neosploit packer has always been (dare I say it) innovative. In addition to scrambling variables and ensuring that the exploit delivered is different each time a victim is iframed to an infectious site, Neosploit also uses itself as the key to decode itself. This means that clumsy attempts to modify the decoder in attempt to decode it will result in gibberish, rather then the properly decoded exploits. In addition to this, the new version adds a check to ensure that the exploit is hosted on the intended site. Essentially, what the authors of Neosploit did was append the URL...
