SpiderLabs Blog

A New Neighbor in Town: The Nuclear Pack v2.0 Exploit Kit

Written by | Mar 22, 2012 9:27:00 PM

In the past few years, cybercriminals have been increasingly using exploit kits to spread malware. Today, several exploit kits, primarily Blackhole and Phoenix, dominate this market but occasionally we do find other rare ones that are being deployed. We would like to introduce you to a new version of Nuclear Pack exploit kit: version 2.0.

 

The first version of Nuclear pack was distributed in 2009 and has disappeared since then.

Let's take a look at the obfuscation technique of Nuclear Pack v2.0. The malicious code is hidden within HTML SPAN tag which is loaded from the JavaScript using "getElementsByTagName" calls and transmitted into a JavaScript code using multiple math manipulations:

After the HTML text is transformed into code, it is executed using the "eval" function.

 

The code above uses techniques that are typical to the Blackhole exploit kit. It uses the getJavaInfo Java applet to identify the version of the Java application installed on the target machine, and loads the specific exploits the machine is vulnerable to.

Nuclear Pack v2.0 exploits the following vulnerabilities:

  • Acrobat Reader – LibTIFF Integer Overflow Vulnerability – CVE-2010-0188
  • Microsoft Internet Explorer MDAC RDS.Dataspace ActiveX Control Vulnerability - CVE-2006-0003
  • JRE Trusted Method Chaining Vulnerability– CVE-2010-0840
  • Oracle Java Rhino Script Engine Vulnerability CVE-2011-3544

As an example, here is the de-compiled code of the Rhino exploit delivered by this attack:

 

The red box in the screen shot above presents the Java script that is executed in the Rhino JS engine. More information on Rhino Script Engine vulnerability can be found in our blog.

According to our research this new version of Nuclear pack has not placed a new standard of obfuscation or evasion techniques, and can barely be seen in the wild.

All Trustwave M86 Secure Web Gateway customers are protected against this attack by default. The access to the exploit page is blocked.