On one Russian forum, someone who is presumably the author of Crimepack or very familiar with how it works went into great deal as to how to its obfuscation and other components work. I was happy to see that he was using a tool I know and love, Malzilla, to demonstrate how well its made. Unfortunately, I don't think this guy understands the tool that well, or at the very least, how to read hex:
Its apparent that this guy is trying to hide a URL. I don't think he understands that he missed all but one character in the url in his redaction. At 0x280 in the hex, with a lookup table, you'll see "ilon5.ru". Other images revealed the first character to be a "p".
Sure enough, there's a exploit kit installed right where the image said it would be!
A whois lookup for this site comes up as:
domain: PILON 5.RU
nserver: ns1.hostlife.net.
nserver: ns2.hostlife.net.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
phone: +375296543210
e-mail: ch1t3r@gmail.com
registrar: NAUNET-REG-RIPN
created: 2010.02.02
paid-till: 2011.02.02
source: TCI
ch1t3r has a history with exploit packs too it seems.
Here's hoping that this kind of redaction becomes a trend in with these guys!
