Reg comments12

World's worst exploit kit weaponises white hats' proof of concept code

Plaid Parliament of Pwning's IE attack turned into pay-to-p0wn cannon

Mr Robot: Credit USA Network

The new wearer of the crown for World's Worst Exploit Kit is compromising users with exploit code for a dangerous new attack published by a white hat researcher.

Neutrino is the new king of for-profit p0wnage packages, a market in which criminals create tools to compromise scores of users through the latest vulnerabilities.

Neutrino's authors, who have risen to prominence since the likely arrest of the former top dogs behind the Angler exploit kit, were quick to snap up exploit code published to GitHub that allowed attackers to plunder a nasty Microsoft vulnerability (CVE-2016-0189).

That code comes from the Plaid Parliament of Pwning, known for dominating the DEF CON capture the flag events, published exploit code for the scripting engine memory corruption vulnerability under their new firm Theori.io.

That publication is standard practice throughout significant sections of the information security community which operates on an open disclosure basis and the understanding that security through obscurity is largely a myth.

The hacking crew were the first to detail the exploit code, but not the first to abuse it; the vulnerability came to light as a then zero-day flaw being used to attack victims in South Korea with spear phishing emails that launched the exploit and downloaded unknown payloads.

FireEye security boffins Kenneth Johnson; Sai Omkar Vashisht; Yasir Khalid, and Dan Caselden detailed Neurtino's use of Theori.io's exploit code using one example in which Neutrino used exploits for five patched vulnerabilities, three for Adobe Flash Player, and two for Internet Explorer.

"CVE-2016-0189 is the newest addition to Neutrino’s arsenal," the team says.

"The exploit embedded within Neutrino is identical to this researcher’s exploit, except for the code that runs after initial control."

Theori.io reverse-engineered Microsoft's May patch for the flaw to cook up their exploit. ®

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017