New exploit kit called RedKit found in the wild

I don’t normally write about exploit kits (these are also referred to as ‘packs’) because most of my readers wouldn’t understand their relevance in the online world. It’s kind of geeky too. That said this exploit pack is definitely worth mentioning. Read on to find out why.

What are exploit kits? They are packs containing malicious programs that are mainly used to carry out automated ‘drive-by’ attacks in order to spread malware. The BlackHole exploit kit is one of the most well known.

Security researchers have identified a new exploit kit called “RedKit” – it actually doesn’t have a name but the researchers decided to name it. The RedKit exploit delivers its payload via an Adobe Acrobat and Reader LibTIFF vulnerability and Java AtomicreferenceArray vulnerability – this one is behind the Adobe Flashback flaw which has been in the news this week.

Logging in to the exploit kit panel allows you to check the stats for incoming traffic, upload a payload executable and even scan the payload with no less than 37 different antivirus products (AV). What is really clever here is that each malicious URL gets blocked by most security firms after 24 to 48 hours, but RedKit provides a new API which will produce a fresh URL every hour.

This automated API process for updating traffic sources every hour to point to a new URL is something the AV companies will be very aware of.  Make sure your AV product is up to date and be careful what links you click on folks!

Safe surfing folks!

Bootnote: Thanks to the guys at Trustwave for this find.

This entry was posted in anti-virus, malware and tagged , . Bookmark the permalink.

One Response to New exploit kit called RedKit found in the wild

  1. Chris Straub says:

    I have a friend that is a web developer and I work in small business IT support. His server has this exploit:

    File Name:

    Threat name: Exploit Redkit Exploit Kit Detection (typw 1938)

    The server is hosted by Rackspace.
    He says: “I think the compromise may have come via a 777 setting instead of 775.”
    (I don’t know what he means by this.)

    Where do we start in removing this exploit from the server and how do we protect in the future?

    Other info:
    The Linux side of our platform is built on Debian 4.0 (Etch) and Red Hat Enterprise Server. On the other side of the fence, the Windows platform runs on Windows 2008 and IIS 7.

Leave a Reply

Your email address will not be published. Required fields are marked *