RedKit Patterns – Additional Info to @fknsec Writeup

Posted: December 12th, 2012 | Author: | Filed under: IT Related | Tags: , , , | 4 Comments »

It’s been a while since the last time I logged in into my WordPress. I’ve jumped on BlueCoat System‘s bandwagon (and left MyCERT earlier), so I’ve to spent some time to make myself familiar with this new environment and job 🙂

Last week, @fknsec, in his blog, wrote a very good article about RedKit Exploit Kit. But here I would like to add few more interesting facts on the RedKit patterns

  1. @fknsec did mention about “/hmiq.htm” in his blog, but from my observation, beside Porche and Ferari, the RedKit author also like the letter H. The naming convention for the HTML file will always start from H and ended with .htm (everything in small case). So a working regex for this pattern world be: 
    /\/h(m|f)[a-z]{2}\.htm$/

    ** updated on 14 Feb 2013 **
    Look like this portion is no longer valid at the moment. You can replace it with:

    /\/[a-z]{4}\.html?$/
  2. 887.jar and 332.jar is quite unique to RedKit. Go hunt them! 
    /\/(887|332)\.jar$/
  3. Same goes to 987.pdf 
    /\/987.pdf$/
  4. c.htm as mentioned by @fknsec can be in 1 char (letter) file name (in small case), or it can also be in 2 digit (number) and ended with .htm. 
    /\/([a-z]{1}|\d{2})\.htm$/
  5. Unlike BlackHole and Cool exploit kit, RedKit will usually be hosted on compromised websites and not having his own special subdomain. Most of the time, RedKit files will be in the main directory of a website/domain 
    eg: google.com/332.jar
  6. From my observation, among the famous tricks to lure victim to RedKit are:
    • Redirector script planted in jquery JS file
    • Redirector in “Domain to sell” placeholder

I think that’s all for today. I don’t know when is the next time to update my blog, since will keep my self busy in these coming weeks, with my first baby is going to execute /h(is|er)/ first version of “Hello World” script in near soon.

Till then, stay safe everyone & happy hunting!

 

Reference:

  1. http://fortknoxnetworks.blogspot.com/2012/12/exploit-medfos-url-detection-with-drop.html
  2. http://malware.dontneedcoffee.com/2012/08/cve-2012-4681-redkit-exploit-kit-i-want.html

4 Comments on “RedKit Patterns – Additional Info to @fknsec Writeup”

  1. 1 shukor said at 10:46 PM on December 19th, 2012:

    my first baby is going to execute /h(is|er)/ first version of “Hello World” script in near soon.

    it’s today.

  2. 2 Stephen Yeoh said at 12:26 AM on February 8th, 2013:

    I tried using your pattern with grep and received an error. What’s the shell command line tool to use with these patterns?

    On a Mac OS X in the terminal.

    BTW, there are many variants of jquery. Do you know which jquery files were being targeted?

    Thanks.
    Stephen

  3. 3 xanda said at 1:52 PM on February 14th, 2013:

    the first and the last / is to represent regex to use it, just remove the first and the last /

    eg:

    from /\/987.pdf$/

    is used in the regular expression as:

    cat logfile.log | grep -E ‘\/987.pdf$’

    They dont target specific jquery but since the jquery file is there, just just add in 1 or 2 iframe in the jquery file.

    I’ll write a blog post on this later

  4. 4 RedKit Redirector Injected into Legitimate JavaScript Code | Xanda's Blog !~! said at 12:32 AM on February 15th, 2013:

    […] on legitimate websites” and it seems like a familiar stuff to me. I’ve also been asked in the comment section of “RedKit Patterns – Additional Info to @fknsec Writeup” entry on something that is […]

Leave a Reply