The Peacomm network has definitely turned out to be a survivor. With infections dating back to January 2007 and a P2P structure largely unchanged in about a year, Peacomm continues to evolve and infect new hosts. In early August our honeypots began capturing a new version of Peacomm. This iteration has been relatively low key as it propagates via users visiting infected Web sites, rather than by spam. Although Peacomm has been distributed via infected Web sites in the past, they were usually Web sites that were spammed to users as opposed to relying on drive-by downloading to gather its new recruits.
The attack toolkit used to install Peacomm in these drive-by attacks has changed as well. The infection begins with a user visiting an infectious Web site, which silently redirects the user to hostile content on a set of registered domains via an IFRAME. At this point, Kallisto TDS will serve a set of exploits against the victim. These include...
Yesterday our honeypots picked up a browserattack toolkit that I had not encountered before. This toolkit usesdynamic function and variable names and wraps its exploits in twolevels of dynamic encoding. Finding a new toolkit on our honeypotsalways piques my interest as a new toolkit often yields new exploitpayload.
