Fragus Exploit Kit Changes the Business Model

The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.  

 
Figure 1.
The authors of Fragus stick to this formula, but in addition have employed the use of a legitimate software protection tool known as ionCube PHP Encoder to protect their code. The additional features of ionCube PHP Encoder not only allow the Fragus authors to protect their code, but also to control its usage and protect their revenue stream from the pack. Because the pack sells for $800 USD, this is not small change. (continue reading...)