Topic: Red Kit an Emerging Exploit Pack

[Pez]

Red Kit an Emerging Exploit Pack

Exploit kits are toolkits that are used to build malware components such as binaries and scripts. They automate the exploitation of client-side vulnerabilities, targeting browsers and programs.

These exploit kits provide an effective way for cybercriminals to distribute malware without the users consent. Among these kits, the Blackhole exploit kit is one of the most prevalent. Now another kit has gained the attention of the security research community. McAfee Labs has observed an increase in the use of the Red Kit exploit kit. The Red Kit targets vulnerabilities in applications such as Java and Adobe Reader.


Larger image

Overview of an attack.

As shown in the preceding image, the infection starts when a user visits a compromised website, which contains the link to a Red Kit landing page. The link of the compromised web page may arrive via email as part of a spam campaign to lure the user into clicking the malicious link.


Larger image

Redirector.

The landing page appears similar to that of Blackhole. It uses plug-in detection code (Version 0.7.7) to identify the version of the browser plug-ins installed in the system:


Larger image

Plug-in detects Version 0.7.7.

We have observed that the Red Kit uses different URL patterns for its landing pages. Some of them follow:

• hxxp://[domain name]/ewci.htm

• hxxp:// [domain name]/hmod.html

• hxxp:// [domain name]/mhes.html

• hxxp:// [domain name]/hmpu.html

• hxxp:// [domain name]/asjs.html

• hxxp:// [domain name]/aces.htm

• hxxp:// [domain name]/aoef.htm

Also, the landing page has the code to download malicious .jar and .pdf files. These files target the vulnerabilities CVE 2012-1723 and CVE 2010-0188.


Larger image

A Red Kit landing page.

This exploit kit uses a unique URL pattern for downloading the .jar and .pdf files:

• hxxp://[domain name]/332.jar

• hxxp://[domain name]/887.jar

• hxxp://[domain name]/987.pdf

The payloads of the .jar and .pdf files are also downloaded from unique URL patterns:

• “332.jar”  downloads payload from  “hxxp://[domain name]/33.html”

• “887.jar”  downloads payload from  “hxxp://[domain name]/41.html”

• “987.pdf” downloads payload from  “hxxp://[domain name]/62.html”

The final payloads are identified as a downloader that delivers additional payloads from the remote server.

How to prevent this attack:

• Blocking the URL patterns we have noted is one efficient way to prevent this attack. However, the landing page URL patterns are constantly changing. Nonetheless, the payload URL patterns have remained the same for all malicious domains we have seen.

• In spite of the availability of patches for known vulnerabilities such as CVE2012-1723 and CVE2010-0188, this exploit kit still targets these vulnerabilities. McAfee recommends that you update to the latest patches available for Java and Adobe Reader.

• We advise our customers to pay extra caution when opening unsolicited emails and unknown links.

McAfee products detect these exploits as “JS/Exploit.Rekit.”


Orginal article: Wednesday, January 9, 2013 at 10:33am by Varadharajan Krishnasamy

[Fintech]

Hi all,

Today the Finnish SERT.FI ask to remove Java's out your computers because for it is bad security hole! Latest Java versions again cause of that So, be careful within its relationship! 

I am sorry because I have so bad of the english language skills! 

-F 

[Samker]

...

Today the Finnish SERT.FI ask to remove Java's out your computers because for it is bad security hole! Latest Java versions again cause of that So, be careful within its relationship! 

...

-F 

Yes, even The U.S. Department of Homeland Security post a warnings about this problem: http://scforum.info/index.php/topic,7948.0.html

I'm sure this will produce extremely big worldwide problem to Oracle (Java owner)...



P.S.

Thanks guys. 

[Fintech]

Thank you Sam..  
You are my Main man in here! So, my mouthpiece!   

[Pez]

More info!

and analyse in:

Java Zero-Day Vulnerability Pushes Out Crimeware in the Disable or Uninstall JAVA, Warning from The U.S. Department of Homeland Security thred.