The creators of the Phoenix exploit kit have begun using obfuscation and other techniques to prevent security researchers and others from reverse-engineering the installation process for the kit, adopting a tactic that has become increasingly popular among attackers recently.
The Phoenix exploit kit is one of a number of similar toolkits, such as the Eleonore kit, sold by various attack crews and malware developers to attackers who don’t have the skill or the time to develop their own tools. The kits typically include an installer and a number of exploits packaged up for easy use. Phoenix is being used now to compromise legitimate Web sites and then turn around and attack visitors to those sites with a cocktail of exploits.
Now, researchers have found a version of the kit that includes installation code that is completely obfuscated, making it more difficult for researchers to observe the installation process and see how it works.
“This is probably an attempt by the developers to make it harder for
security researchers to understand how to install the kits, especially
if there is no ‘readme.txt’ file included in a kit. Typically, exploit
kits come with some sort of installation and or revision documents which
come in the form of a ‘readme.txt’ file or ‘notes.txt’. Without the
readme file, it can be difficult to install a kit unless you reverse
engineer the installation process. Most of the time, the reverse
engineering of kit installation is pretty easy because the PHP code is
not obfuscated,” Websense researcher Chris Astacio wrote in an anlysis of the new version of the kit.
Astacio found a simple way to de-obfuscate the code and discovered that the code includes a number of base64 encoded variables that contain obfuscated PHP code. He also found that each variable corresponds to a compromised page that has been assigned a random identifier, to further complicate the analysis process for researchers.
“This is where things get interesting, as far as protection mechanisms
go. The reason that the PHP code for each of these scripts is held in a
variable is because the page names actually get randomized for each
installation! This helps to prevent security researchers from easily
finding and possibly viewing statistics about the site hosting a Phoenix
Exploit’s Kit. Prior to the version being analyzed here, Phoenix came
with standard page names so once the exploit page was found, it was easy
to find the statistics page and try to break in to view stats from that
particular installation,” Astacio wrote.
After the Phoenix kit is installed a new machine, the buyer still has to take the extra step of contacting the kit’s creator in order to get the actual exploits that the kit uses.