Members
  • Total Members: 12818
  • Latest: martin
Stats
  • Total Posts: 28534
  • Total Topics: 8240
  • Online Today: 1027
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Red Kit an Emerging Exploit Pack  (Read 1164 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
Red Kit an Emerging Exploit Pack
« on: 11. January 2013., 09:21:28 »
Red Kit an Emerging Exploit Pack

Exploit kits are toolkits that are used to build malware components such as binaries and scripts. They automate the exploitation of client-side vulnerabilities, targeting browsers and programs.

These exploit kits provide an effective way for cybercriminals to distribute malware without the users consent. Among these kits, the Blackhole exploit kit is one of the most prevalent. Now another kit has gained the attention of the security research community. McAfee Labs has observed an increase in the use of the Red Kit exploit kit. The Red Kit targets vulnerabilities in applications such as Java and Adobe Reader.


Larger image

Overview of an attack.

As shown in the preceding image, the infection starts when a user visits a compromised website, which contains the link to a Red Kit landing page. The link of the compromised web page may arrive via email as part of a spam campaign to lure the user into clicking the malicious link.


Larger image

Redirector.

The landing page appears similar to that of Blackhole. It uses plug-in detection code (Version 0.7.7) to identify the version of the browser plug-ins installed in the system:


Larger image

Plug-in detects Version 0.7.7.

We have observed that the Red Kit uses different URL patterns for its landing pages. Some of them follow:

• hxxp://[domain name]/ewci.htm

• hxxp:// [domain name]/hmod.html

• hxxp:// [domain name]/mhes.html

• hxxp:// [domain name]/hmpu.html

• hxxp:// [domain name]/asjs.html

• hxxp:// [domain name]/aces.htm

• hxxp:// [domain name]/aoef.htm

Also, the landing page has the code to download malicious .jar and .pdf files. These files target the vulnerabilities CVE 2012-1723 and CVE 2010-0188.


Larger image

A Red Kit landing page.

This exploit kit uses a unique URL pattern for downloading the .jar and .pdf files:

• hxxp://[domain name]/332.jar

• hxxp://[domain name]/887.jar

• hxxp://[domain name]/987.pdf

The payloads of the .jar and .pdf files are also downloaded from unique URL patterns:

• “332.jar”  downloads payload from  “hxxp://[domain name]/33.html”

• “887.jar”  downloads payload from  “hxxp://[domain name]/41.html”

• “987.pdf” downloads payload from  “hxxp://[domain name]/62.html”

The final payloads are identified as a downloader that delivers additional payloads from the remote server.

How to prevent this attack:

• Blocking the URL patterns we have noted is one efficient way to prevent this attack. However, the landing page URL patterns are constantly changing. Nonetheless, the payload URL patterns have remained the same for all malicious domains we have seen.

• In spite of the availability of patches for known vulnerabilities such as CVE2012-1723 and CVE2010-0188, this exploit kit still targets these vulnerabilities. McAfee recommends that you update to the latest patches available for Java and Adobe Reader.

• We advise our customers to pay extra caution when opening unsolicited emails and unknown links.

McAfee products detect these exploits as “JS/Exploit.Rekit.”


Orginal article: Wednesday, January 9, 2013 at 10:33am by Varadharajan Krishnasamy

Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Red Kit an Emerging Exploit Pack
« on: 11. January 2013., 09:21:28 »




Fintech

  • SCF Advanced Member
  • ***
  • Posts: 329
  • KARMA: 41
  • Gender: Male
Re: Red Kit an Emerging Exploit Pack
« Reply #1 on: 11. January 2013., 21:03:13 »
Hi all,

Today the Finnish SERT.FI ask to remove Java's out your computers because for it is bad security hole! Latest Java versions again cause of that So, be careful within its relationship!  :police:

I am sorry because I have so bad of the english language skills!
  :-\

-F  :bih:
I'm old man but still alive as well :)

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Red Kit an Emerging Exploit Pack
« Reply #2 on: 12. January 2013., 08:30:38 »

...

Today the Finnish SERT.FI ask to remove Java's out your computers because for it is bad security hole! Latest Java versions again cause of that So, be careful within its relationship!  :police:

...

-F  :bih:


Yes, even The U.S. Department of Homeland Security post a warnings about this problem: http://scforum.info/index.php/topic,7948.0.html

I'm sure this will produce extremely big worldwide problem to Oracle (Java owner)...



P.S.

Thanks guys.  :thumbsup:


Fintech

  • SCF Advanced Member
  • ***
  • Posts: 329
  • KARMA: 41
  • Gender: Male
Re: Red Kit an Emerging Exploit Pack
« Reply #3 on: 12. January 2013., 09:10:19 »
Thank you Sam.. :thumbsup: 
You are my Main man in here! So, my mouthpiece!   :up:
I'm old man but still alive as well :)

Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
Re: Red Kit an Emerging Exploit Pack
« Reply #4 on: 15. January 2013., 09:32:56 »
More info!

and analyse in:

Java Zero-Day Vulnerability Pushes Out Crimeware in the Disable or Uninstall JAVA, Warning from The U.S. Department of Homeland Security thred.
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising