The Crimepack exploit kit was among the top-selling underground commercial software applications in 2010.   As with other kits of this kind, Crimepack consists of a number of exploits.  The types of exploits in the kit vary, depending on the version of the kit.  The Crimepack kit initially appeared as version 2.1 at the end of February - beginning of March 2010.  Later, other versions were found "in-the-wild," including v2.2.1, v2.8, v3.0, v3.1.0, v3.1.2, and the latest, v3.1.3. The kit is packed with a commercial PHP encoder. When it is sold - and tied to the buyer's domain - it is based on PHP and a MySQL backend and has a really fancy, feature-rich admin panel that includes a choice of exploits to use and redirection of nonvulnerable traffic. Statistics in this kit are shown in one table under the MAiN tab and provide such information as overall statistics, exploit statistics, operating system statistics, browser statistics, and referrers' and victims' countries.

Crimepack has several features that make it look different from its competitors' versions. An "iFrame obfuscator" feature produces already obfuscated JavaScript code, which can be posted in compromised sites. The obfuscation algorithm used in version 3.1.3 is very simple and could easily be reverted. The obfuscation algorithm source code is not encrypted with commercial Cryptor, which allows criminals who purchase this pack to use a custom obfuscation or encryption algorithm. Another feature is a "Blacklist checker," which checks the domain where it is installed against the blacklists of famous security companies. If the URL appears in a blacklist, the checker will notify the domain owner of the kit. This kit also has a "Downloader builder," which takes a URL as an argument and generates a Trojan - Downloader - RootKit executable.  The executable has a detection rate of 17/43 on VT.

Login page:

Overall statistics provided by the Crimepack exploit kit:

Below is a running list of vulnerabilities that have been used with the Crimepack exploit kit version 3.1.3:

CVE-2010-1885   HCP
CVE-2010-1423   JRE 'WebStart' RCE
CVE-2010-0840   Java getValue Remote Code Execution
CVE-2010-0806   IE iepeers Vulnerability (IE7 Uninitialized Memory Corruption/IEPeers Remote Code Execution)
CVE-2009-3269   Opera TN3270
CVE-2009-1136   OWC Spreadsheet Memory Corruption
CVE-2009-0927   Adobe Reader Collab GetIcon
CVE-2009-0355   Firefox 3.5/1.4/1.5 exploits
CVE-2008-5353   Java Deserialize
CVE-2008-4844   Internet Explorer 7 XML Exploit
CVE-2008-2992   Adobe Reader util.printf
CVE-2007-5755   AOL Radio AmpX Buffer Overflow
CVE-2007-5659   Adobe Reader CollectEmailInfo
CVE-2006-0003   IE MDAC (IE6 COM CreateObject Code Execution)
Aggressive Mode  JAVA Applet which shows pop-up window asking whether to accept malicious the applet