Phoenix exploit hacker kit methodology explained

The kit, which was originally discovered by M86 Security in the summer of 2009, has been disassembled by Chris Astacio, a security researcher with Websense, who reports that the kit's installation routines are, like a lot of hacker toolkits, obfuscated (hidden).

This is, he explains, "probably an attempt by the developers to make it harder for security researchers to understand how to install the kits, especially if there is no 'readme.txt' file included."

Looking at the PHP code, Astacio says researchers can see that it's Base64 encoded and a ZLIB compressed stream of data.

"The PHP script uses an 'eval' statement with 'gzuncompress' and 'base_64decode' functions to decode the stream of data. For us to get the clear text code, we can use a simple substitution trick along with the PHP CLI so that we can then analyse the installer's code", he said in his security blog.

"To do this, we simply need to replace the 'eval' with a 'print' and run the install.php script on the command line", he added.

Interestingly, despite the widespread use of the hacker toolkit, the Websense researcher says that that there is nothing special about it.

"You get to choose the language of the installation instructions, either English or Russian. And on the next page you have a form to fill out for various resources", he said, adding in his analysis that he has not shown some of the forms as they contain sensitive information.

One of the most interesting features of the kit is that it does not contain a current set of exploits, as users must contact the developer and activate the kit, presumably by paying a fee, Infosecurity notes.

According to the Websense security researcher, the developers of the Phoenix Exploit kit are working on not only protecting their exploit code from being recognised, but also their installations.

"This makes it difficult for researchers to further dissect and understand how the kit works, especially if a researcher comes across just the install script", he said in his blog.

"It also makes things more difficult for others who want to study and report on the statistics found from individual installations of Phoenix by randomising the page names used in the kit installations", he added.

Further details of Astacio's detailed analysis can be found at the Websense blog.

What’s hot on Infosecurity Magazine?