AnonJDB / JDB Exploit Kit

This appears to be an older kit as @Xylibox posted on this back in July of last year. @Unixfreakjp did a nice infection writeup on it recently.

GATE

HTTP Request Method = GET
HTTP URI contains /inf.php?id=
Regex HTTP URI for “\/inf\.php\?id=[a-f0-9]{32}$”

Social Engineering (Update Adobe / DL EXE)

HTTP Request Method = GET
HTTP URI contains /lib/adobe.php?id=
Regex HTTP URI for “\/lib\/adobe\.php\?id=[a-f0-9]{32}$”

Java Exploit

HTTP Request Method = GET
HTTP URI contains /data.php?id=
User-Agent contains “Java”
Regex HTTP URI for “\/data\.php\?id=[a-f0-9]{32}$”

See Examples of AnonJDB on UrlQuery.net

Reference: http://www.xylibox.com/2012/07/anonjdb.html
http://malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html
http://blog.webroot.com/2012/01/17/inside-anonjdb-a-java-based-malware-distribution-platforms-for-drive-by-downloads/
http://www.youtube.com/watch?v=1LXtB3nTPeQ > AnonJDB Setup Video

Comments are closed.