Lifting the lid on the Redkit exploit kit (Part 1)

TheKid7 · May 9, 2013

Lifting the lid on the Redkit exploit kit

Lifting the lid on the Redkit exploit kit (Part 1):

Redkit is one of the lesser known exploit kits that is currently being used to distribute malware.

Though not as widely talked about as Blackhole, Redkit has gained some press recently, having been involved in the NBC site hack and the spam campaigns that followed the Boston bombings.

In the first of this two-part series, I will give an overview of the exploit kit: how it operates and where it is being hosted.

Part Two will take a deeper look into the malicious code being used in order to uncover some of the functionality it provides to the attackers...........
Click to expand...

http://nakedsecurity.sophos.com/2013/05/03/lifting-the-lid-on-the-redkit-exploit-kit-part-1/

TheKid7 · May 9, 2013

A closer look at the malicious Redkit exploit kit:

In my previous article on the Redkit exploit kit, I provided an overview of how the kit operates. Specifically, how the attack uses a network of compromised web servers to serve up the redirects and malicious content.

In this article, I will take a closer look at the malicious content used to infect the user with malware...........
Click to expand...

http://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/

Rmus · May 9, 2013

Whew! All of that obfuscation just to sneak in a payload! Quite interesting.

Obfuscation (causing confusion, making obscure) goes back quite a few years. All that has changed are the different methods of working with the variables and functions.

From 6 years ago:

Raising the bar: dynamic JavaScript obfuscation
2007-08-02
http://isc.sans.org/diary.html?storyid=3219

As the deobfuscation function uses itself to deobfuscate the input, changing variable and function names even causes the payload information to change.

The reason for doing this is obvious, such heavy obfuscation makes signature based detection much more difficult, if not impossible and it wasn't surprising to see that 0 anti-virus programs detected this when tested on VirusTotal.
Click to expand...

As far as its use in Exploit Kits, such as Redkit, it's purpose is to download a binary executable (.exe in this article's example) and the comments at the end of the article point out that existing solutions effectively block these payloads:

All of these features are designed to provide layered protection, which is crucial for effective protection against drive-by download attacks delivered from exploit kits like Redkit.
Click to expand...

----
rich

Log in or Sign up

Lifting the lid on the Redkit exploit kit (Part 1)

TheKid7 Registered Member

TheKid7 Registered Member

Rmus Exploit Analyst

Log in or Sign up

Lifting the lid on the Redkit exploit kit (Part 1)

TheKid7 Registered Member

TheKid7 Registered Member

Rmus Exploit Analyst

Useful Searches