• #1042 (no title)
  • About Leoni Designory – www.leonidesignory.com
  • Infographics
  • Social Media – A Overview

leonidesignoryblog

~ socially savvy design

Tag Archives: Security

Lifting the lid on the Redkit exploit kit (Part 1)

03 Friday May 2013

Posted by leonidesignoryblog in Facebook, Google+, LInkedIn, Pinterest, Twitter, Uncategorized, YouTube

≈ Leave a comment

Tags

Security

This comes by way of the Sophos and their Naked Security blog. Thanks for the heads up!
by Fraser Howard on May 3, 2013 | Leave a comment

redkit115

Redkit is one of the lesser known exploit kits that is currently being used to distribute malware.

Though not as widely talked about as Blackhole, Redkit has gained some press recently, having been involved in the NBC site hack and the spam campaigns that followed the Boston bombings.

In the first of this two-part series, I will give an overview of the exploit kit: how it operates and where it is being hosted.

Part Two will take a deeper look into the malicious code being used in order to uncover some of the functionality it provides to the attackers.

To start with, let’s take a look at how Redkit operates.

Traffic control

As with other exploit kit drive-by downloads, victims are typically redirected to the exploit kit when they browse a compromised web site. For Redkit attacks, there are several different flavours of redirect being used, but over the past few months, the most prolific is one that Sophos blocks asTroj/Iframe-JG.

This inject has been discussed previously. As you can see from the image below, the iframe injected into pages is fairly easy to recognise:

Injected iframe used to redirect victims to Redkit

Exploit kit

The conventional drive-by download model involves victims being redirected to a malicious exploit site. However, Redkit does things a bit differently.

The initial redirect (typically an iframe) will be to another legitimate, but compromised server. Let’s call this the first stage redirect. This redirect will be to a four-character .htm or .html page in the root of the the target web server. For example:

compromised_site.net/dfsp.html
compromised_site.com/zpdb.html

The response from this redirect is a HTTP 301 redirect. Let’s call this thesecond stage redirect.

The 301 redirect bounces the victim off to another compromised web server, again to a four-character .htm or .html page. This time, the malicious content is delivered via a simple landing page that loads the malicious JAR.

Redkit landing page

Historically, Adobe Reader has also been targeted, but Redkit has been targetting just Java vulnerabilities for a while now.

More recently, the landing pages are slightly different, using JNLP (Java Network Language Protocol):

More recent Redkit landing pages, using JNLP

Note: Older versions of the kit used .html for the first stage redirect target, and .htm for the second stage. In later versions of the kit this has changed.

Command and Control server

As far as the victim is concerned, the malicious content is delivered from the compromised web server that is used in the second stage redirect. Interestingly, however, that content is never stored on that web server.

Instead, the compromised web servers used by Redkit are loaded with a PHP shell, which manages things. The PHP shell is responsible for:

  • Bouncing first-stage redirects on to another (randomly chosen) server. The PHP shell connects to a remote Redkit command and control (C&C) server in order to obtain a list of other compromised sites (updating the list each hour).
  • Delivering malicious landing page and JAR content to the victim. This is not loaded from disk. Instead it is downloaded (using cURL) via HTTPS from the C&C server. So the PHP shell essentially acts as a proxy for the malicious content.

Snippet of code from PHP shell used by Redkit

→ Sophos products detect the PHP shell as Troj/PHPRed-A.

The PHP shell works in tandem with a rogue .htaccess file, which is responsible for guiding incoming HTTP requests (to the four-character htm/html files) to the necessary PHP script.

This is illustrated in the diagram below.

Overview of how Redkit works

Distribution

A large number of compromised web servers have been used by Redkit over the past few months. A breakdown by the countries hosting the hacked servers is shown below.

Breakdown of Redkit compromised web servers by host country

These servers are split across several ISPs:

Breakdown of ISPs hosting the Redkit compromised web servers

How are the servers being compromised? Looking at the server strings returned from the compromised web servers, we get a fair spread.

Web server breakdown for Redkit compromised servers

This would suggest that it is not the server platform (Apache, IIS etc) that is being targeted/exploited. More likely software/applications installed on the server itself, or simply stolen credentials.

This concludes the first of these articles on Redkit. It provides an overview of how the kit operates, and describes the interesting techniques used to “host” the exploit kit. The data collected thus far also gives us an indication of the prevalence of this kit, and the number of compromised web servers involved.

In the next article in the series, we will take a closer look at the malicious Java code, and how it is used to infect the victim with the payload.

Share this:

  • Print
  • Email
  • LinkedIn
  • Pinterest
  • Twitter
  • Facebook

Like this:

Like Loading...

Subscribe

  • Entries (RSS)
  • Comments (RSS)

Archives

  • December 2015
  • October 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • November 2012
  • August 2012

Categories

  • Advanced Search
  • Best Practices
  • Bing Search Engine
  • Bloging
  • community manager
  • Content Marketing
  • Email Marketing
  • Facebook
  • Flip Key
  • Google Analytics
  • Google SEO
  • Google+
  • Hashtags
  • Hootsuite
  • Instagram
  • LInkedIn
  • Mail Chimp
  • Marketing
  • Merchandising
  • Mobil Web
  • mobile app marketing
  • Mobile Web
  • Multi Channel Marketing
  • Online Marketing
  • Pinterest
  • Political
  • PR
  • Responsive Web
  • Responsive Web Design
  • Social Listening
  • SPAM
  • Trip Advisor
  • tumblr.
  • TV Advertizing
  • Twitter
  • Uncategorized
  • Web Site Design
  • WordPress
  • Yelp
  • YouTube

Meta

  • Register
  • Log in

Blog at WordPress.com.

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
%d bloggers like this: