Series: Looking through the keyhole – NeoSploit

March 25, 2009


Neosploit is an oldie but goodie.  There are many versions and at one point it had a lot of marketshare.  It also was one of the first to be ripped and used / configured by many others.  Cannibals eat their own it seems.  The effect this has is it drives down exploit pack prices.

It is written in C as a CGI program to be run on a web server.  It is possible that it was written by “Grabarz”

Known Versions 3.0.7, 3.1, 2.0.13, 2.0.17, 2.0.15, 2.0, 1.5, 1.0

Supposedly this crew quit development but their source code and legacy will remain as more and more of these crimeware kits are cloned and innovated by others. 

neosploit1

 

neosploit31

I will be searching for the source code of this to make it available for research.

Why?  To exploit that’s why.  Usually the nubs that run this shit are clueless on how to secure their own systems.  Also we can take advantage of backdoors the authors put into to rip the data from the users.  No honor among theives of course.

However these decentralized operations are complex to unravel.  The problem is that many times researchers do find out who it is, then notify the authorities to no avail. 

I am advocating as a Thought Meme the era of Open Source Evidence.  What does this mean exactly?  It means the active and aggressive publication and publishing of evidence that validates and verifies known malware authors and crimeware authors.  The evidence should clearly incriminate said parties.  The evidence should be Posted FIRST to the open source in hightraffic blogs and then reported to Authorities. 

Law enforcement has had plenty of time to pursue these guys and in their Investigations “keep all hush hush” about the evidence and the personalities and organziations behind this fiasco of a mess.  I the mean time victims suffer, with no compensation, retribution, or entity to champion their woes.  I have said many times.  We are sheep among wolves, and our protectors are down the street, hanging out at MacDonalds.

Here is another screenshot of Neosploit. 

takingdown

Here is some additional detail such as the login page..

neo1

neo2

neo31

These are the sites the criminal compromised with Iframes

neo4

Here is a Geographic distribution of the PWNed victims

neo5

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: