g01Pack Exploit Kit

There is an updated post of this exploit kit.

Tricky to acquire. Almost exclusive to malvertising.

DynDns Domains being used:

*.dyndns.org
*.dyndns.info
*.dyndns-at-home.com
*.dyndns.tv
*.dyndns-web.com
*.dyndns.biz
*.dyndns-ip.com
*.homeip.net
*.homelinux.com
*.mine.nu
*.blogsite.org
*.homedns.org
*.homeftp.net
*.blogdns.com
*.webhop.org
*.is-lost.org
*.is-a-musician.com
*.is-a-hunter.com
*.is-into-anime.com
*.homeunix.com
*.saves-the-wales.com
*.does-it.net
*.is-an-accountant.com
*.selfip.info

– i’m sure there are more *.is-* domains…can look for more with regex on domain > “\.is(\-[a-z]+){1,}\.[a-z]+”

Regex for identifying fields:

\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners|view)\/

Examples:

GATES

http://butgocodefour.dyndns.org/mix/
http://fivevsevenkey.dyndns.org/mix/
http://sevennfourpark.dyndns.info/forum/
http://qwtoovecho.dyndns.org/mix/
http://foxreajunk.dyndns.info/forum/

MALJAR

http://uonetwodo.dyndns.info/forum/1m1yfygo20iz9lgfola9w9lmjg.jar
http://dryzeroparktoo.dyndns.org/mix/1wl101m55fzf9zg5oii5ozaw11.jar
http://foxreajunk.dyndns.info/forum/1wl101m55fzf9zg5oii5ozaw11m9ogla.jar
http://uonetwodo.dyndns.info/forum/2jmmmmyfgm9i01jyfiyig1fawal9ayfl.jar

EXEs

http://goninefoxseven.dyndns.info/forum/ma0alimf5a0awzjljiiwj2gi9y.php?fid=java_ara&quote=%2F&size=32864079&
http://foxreajunk.dyndns.info/forum/5wawwmaf0g0fo1ljyioo1jiy1zyowwgy.php?quote=%2F&size=33210331&fid=java_ara&
http://uonetwodo.dyndns.info/forum/ma0alimf5a0awzjljiiwj2gi9y.php?size=32893475&fid=java_ara&quote=%2F&

See more examples of g01Pack Exploit Kit on UrlQuery.net

Comments are closed.