SCF Advanced Search

  • Total Posts: 40515
  • Total Topics: 14425
  • Online Today: 682
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Styx Exploit Kit Takes Advantage of Vulnerabilities  (Read 1930 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Styx Exploit Kit Takes Advantage of Vulnerabilities
« on: 27. June 2013., 10:21:03 »
Styx Exploit Kit Takes Advantage of Vulnerabilities

Web-based malware has increased over the last few years due to an abrupt spike in new exploit kits. These kits target vulnerabilities in popular applications and provide an effective way for cybercriminals to distribute malware. We have already discussed Red Kit, a common exploit kit. Recently McAfee Labs has observed an increase in the prevalence of the Styx exploit kit.

The next graph shows the prevalence of this exploit kit in the wild.

"click the image to make them larger"

Overview of an attack

Like other exploit kits, Styx covertly redirects users as they visit a legitimate website to a malicious landing page that hosts the exploit files targeting various vulnerabilities. The redirector link may arrive via email as part of a spam campaign.


Once users reach the landing page the malware searches for vulnerable applications installed in the system. This occurs via browser plug-in detection code (Plugin Detect Version 0.8.0).

Plugin Detect Version 0.8.0

The landing page has an iframe that contains a malicious link with obfuscated code.

Malicious iframe

The JavaScript used on the landing page references the iframe using a unique ID, deobfuscates the malicious code, and loads the following malicious web pages hosted on the compromised server.

• Jorg.html

• Jlnp.html

• Pdfx.html

Malicious JavaScript

The page jorg.html downloads a JAR file that targets the vulnerability CVE-2013-0422.

Jlnp.html uses the Java Network Launch Protocol, which allows the user to download a malicious JAR file that targets the vulnerability CVE-2013-2423. The attackers bypass the Java security check by setting the parameter “__applet_ssv_validated” value to True.


Pdfx.html loads two web pages, fnts.html and jovf.html, which download an eot (web-based font file) and a JAR file. These files target the vulnerability “CVE-2011-3402” and CVE-2013-1493, respectively. Finally, pdfx.html downloads a PDF that targets the vulnerability CVE-2010-0188.


The final payload of this exploit kit is a downloader that delivers additional malware from the remote server. Depending upon the attacker, the payloads are custom made and delivered to the compromised machine.

URL Patterns

The Styx exploit kit uses different URL patterns for its landing pages.

• hxxp://[domain name]/6YcinO0Sseq0fDBV0T3aT0lJAg0EkbA04FxQ0n5Ql06rpn/

• hxxp:// [domain name]/txjtJC07tCh0umHs0NZTL0OYgb0zOvl0JZ2V06bOd0xKmb/

• http:// [domain name]/8iVsog0IrKi09gpk0lpTv0DPpd0vjHb0UHWZ0Rq2P13ZsU/

• hxxp:// [domain name]/VgsHRk0dg8z0eREo0a8IG0DW9f04Ovg08zLs0VzuY0EqiG/

• hxxp:// [domain name]/YONmPa0VeqA14XYe13zsL081Lc09i7W0e4gM/

This exploit kit also uses unique URL patterns for downloading the exploit files.

• hxxp://[domain name]/[Random characters and numbers]/jorg.html

• hxxp://[domain name]/[Random characters and numbers]/jlnp.html

• hxxp://[domain name]/[Random characters and numbers]/pdfx.html

• hxxp://[domain name]/[Random characters and numbers]/fnts.html

• hxxp://[domain name]/[Random characters and numbers]/jovf.html

How to prevent this attack

• Blocking the URL patterns we have noted is one efficient way to prevent this attack. However, the landing page URL patterns are constantly changing. Nonetheless, the payload URL patterns have remained the same for all malicious domains we have seen.

• In spite of the availability of patches for known vulnerabilities such as CVE2013-0422, CVE-2010-0188, etc., this exploit kit still targets these vulnerabilities. McAfee recommends that you install the latest patches for Java and Adobe Reader.

• We advise our customers to pay extra caution when opening unsolicited emails and unknown links.

• McAfee products detect these exploits as JS/Exploit-Stykit.

Special thanks to our colleague Bharath M. Narayan for his assistance with this blog.

Original article: Wednesday, June 26, 2013 at 11:33am by Santosh Surgihalli and Varadharajan Krishnasamy
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -

Styx Exploit Kit Takes Advantage of Vulnerabilities
« on: 27. June 2013., 10:21:03 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising