Cool Exploit Kit \world\ Variant

This tag isnt new for CEK, but has become increasingly popular over the past few weeks.

You can regex URI with this for the various payloads (pdf, jar, swf…etc)

\/world\/([a-z]+(-|_)){1,}[a-z]+\.[a-z]{3,4}$

The exe is easy enough to find with the below. Have seen it with many variations, all numerical, with jpg extension…

HTTP Method = GET
HTTP URI contains /world/
Content-Type = application/x-msdownload

See more examples of Cool Exploit Kit /world/ variant on UrkQuery.net

Comments are closed.