Note: I presumed it was CVE-2012-5067 as : it's not working on j7u9, it's working on j7u7...it could be something else thought chances were low... I was wrong.

Cool EK infecting Windows 7 x64 via IE9 plugin Java 7u7 and pushing Reveton Ransomware which gather it's Turkish disguise from its C&C

CBeplay.P Cool EK : No CVE-2012-5076 path



new.jar in Java Decompiler







With some help , am able to put more information about this jar file.

The bagdfssdb.class is encrypted with ZelixKlassMaster







Method: <clinit> in bagdfssda

0000004E : tableswitch l: 0, h: 3, def: pos.00000080, pos.(0000006C, 00000071, 00000076, 0000007B)

0000006C : bipush 55

0000006E : goto pos.00000082

00000071 : bipush 120

00000073 : goto pos.00000082

00000076 : bipush 64

00000078 : goto pos.00000082

0000007B : bipush 24

0000007D : goto pos.00000082

00000080 : bipush 81



Using the zkm_decrypt.py provided with DirtyJOE and the key [55,120, 64, 24, 81]



zkm_decrypt.py loaded in DirtyJOE Decrypted

Applying a SUB of 0x2a we get payload.class ( 9b7481ce8aa6844e25c196c13d9250d9 ) :



Payload class in Java Decompiler.



</edit2>

What about the % break. It seems it double the rate...but starting from around 6% we are now to something around 12%. As usual it's always difficult to talk about that, as the % depends of the traffic/country..etc

In Turkey, before this CVE, break % could reach 20% where rate for Germany was between 3 and 5%



With some help , am able to put more information about this jar file.The bagdfssdb.class is encrypted with ZelixKlassMasterSo we have to take a look at the method clinit to find the key :0000004E : tableswitch l: 0, h: 3, def: pos.00000080, pos.(0000006C, 00000071, 00000076, 0000007B)0000006C : bipush 550000006E : goto pos.0000008200000071 : bipush 12000000073 : goto pos.0000008200000076 : bipush 6400000078 : goto pos.000000820000007B : bipush 240000007D : goto pos.0000008200000080 : bipush 81Applying a SUB of 0x2a we get payload.class ( 9b7481ce8aa6844e25c196c13d9250d9 ) :What about the % break. It seems it double the rate...but starting from around 6% we are now to something around 12%. As usual it's always difficult to talk about that, as the % depends of the traffic/country..etcIn Turkey, before this CVE, break % could reach 20% where rate for Germany was between 3 and 5%

Be ready to see same kind of post for Blackhole 2.0 (or update to 2.1) soon, as chances are HUGE that Paunch is indeed behind Cool EK code.



Others changes : Old Flash exploit activated (/media/score.swf ), old PDF exploits added ( /media/pdf_old.php vs /media/pdf_new.php).

I won't spend time on this (at least right now)







- 15-11-2012 - Jeong Wook (Matt) Oh - MMPC

About Cool EK : Read more ? A technical analysis on new Java vulnerability (CVE-2012-5076) - 15-11-2012 - Jeong Wook (Matt) Oh - MMPCAbout Cool EK :





<edit3>

I don't want to be guilty for an integration of this CVE in other Exploit Pack.

So don't expect freely avaiblable files from me as long as it's not widely used.

Password protected file :





kafeine at dontneedcoffee dot com for password.

No need to mail if you are not ready to give real name and company

</edit3>

In war, whatever your weakness/strengths are, better not help other side improve its weapons.