[360Tencent]

During our research we have recently encountered a new private exploit kit. The developers behind this private kit decided to promote it with a standard banner. After clicking on this banner, you get to a page with a form asking for your jabber username. This way after you leave your details, they contact you and not the other way around. The page with this form was hosted on a compromised site of some unsuspecting Christian church. What today's economics drive people to do...

http://blog.spiderlabs.com/

[EP_X0FF]

Here is it

http://www.malwaredomainlist.com/mdl.ph ... nactive=on

URL's works only once per IP.

[Xylitol]

Inside RedKit http://malware.dontneedcoffee.com/2012/ ... edkit.html

[R136a1]

Не подскажете — где криптануть EXE-файл (DLL-файл)?

Мы рекомендуем крипт-сервис http://livefreeteam.ru/ (жаба: LiveFreeTeam@jabber.ru).

English (Google):
"Do not tell - where kriptanut EXE-file (DLL-file)?

We recommend that the crypts service http://livefreeteam.ru/ (Toad: LiveFreeTeam@jabber.ru)."

No doubt, this crypto service stands for quality and reliability. They just have stolen the VertexNet Loader (free malware) Webpanel and are even to dumb to remove the advertising at the bottom.

[hot_UNP]

Related samples....

Code: Select all

003E06D0  68 74 74 70 3A 2F 2F 39 34 2E 37 35 2E 32 33 34  http://94.75.234
003E06E0  2E 32 34 31 2F 69 6D 61 67 65 73 2E 70 68 70 3F  .241/images.php?
003E06F0  74 3D 38 32 32 39 38 39 00 00 00 00 00 00 00 00  t=822989........

- malwaredomainlist

http://www.malwaredomainlist.com/mdl.ph ... nactive=on

- virustotal

https://www.virustotal.com/file/e7e15b8 ... /analysis/

[360Tencent]

http://blog.spiderlabs.com/2012/05/redk ... y-fun.html

[leeno]

Good Finding .. any body with live Redkit Exploit Url . :D

[Xylitol]

Hello, found on a compromised server, malicious iframe: http://urlquery.net/report.php?id=1021581
Example in a site: http://urlquery.net/report.php?id=959310
http://wepawet.iseclab.org/view.php?has ... c9&type=js

Code: Select all

hXtp://bigsoundmarina.com/332.jar
hXtp://bigsoundmarina.com/887.jar
hXtp://bigsoundmarina.com/987.pdf

bigsoundmarina.com is also compromised, the server run wordpresss.
htaccess on bigsoundmarina:

Code: Select all

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteRule ^[a-z0-9]{1,4}[.](htm|pdf|jar) default.php [L]
</IfModule>

default.php is Obfuscated and full of shit, you can use this service to decode it easily http://www.tareeinternet.com/scripts/decrypt.php
I've also found a WSO 2.5 on it (Backdoor.PHP.WebShell.BD)


stuff in attach, i don't get it, if someone can light..

WSO: https://www.virustotal.com/fr/file/21d2 ... 361102318/
Default.php: https://www.virustotal.com/fr/file/a804 ... 361102318/

ftp logs:

Code: Select all

Sun Jan 06 21:12:50 2013 0 212.227.127.179 30448 /home/usr1096/public_html/te_scan.php b _ o r usr1096 ftp 1 * c
Fri Feb 08 15:10:03 2013 0 50.97.97.62 30448 /home/usr1096/public_html/te_scan.php b _ o r usr1096 ftp 1 * c

wso te_scan.php and /images/ludesk.php but no logs for ludesk.php (same for access logs)
http://security.stackexchange.com/quest ... ity-threat

edit: appear to be Redkit.

[d.l.]

Redkit, as I twitted also.
http://ondailybasis.com/blog/?tag=redkit
few internals about it.

default.php is a forwarder and api for remote management.
in active state:
size is about 4 kb.
also folder default present in root of site - include md5 hashes of victim details to prevent repeat requests.
victim site act as TDS or infector with landing page
in passive state
size about 2.6,
- only api.
p.s. imho it not wise to publish it public.
Denis aka @it4sec

[unixfreaxjp]

Tried to raise awareness of Red Kit infection in my country, currently too many sites got infected now,
instead of making infection this EK is really pain in the ass killing our admins,
For the RedKit bastards that my team mates are working sleepless for this threat only.

PS: Thank's @it4sec for the many hint of infection, thx @xylit0l for the samples.

I would like to raise an issue of RedKit here.
The TDS used by this exploit kit is so f* excellently to set on or off & be forwarded to the sites set by the malware ppl..whatever they want..

A case of a RedKit TDS is openly forwarding Japanese site to RUSSIAN site...

Before...

After...


In background...

What did we do to hurt Russian to deserve this?

This is a decent, an old-man private business individual sites:


has these are evil RedKit TDS working in the background....


So please, help us by providing any samples of redKit infected server with php.ini, .htaccess, default.php, or web server maybe module they used..
It will save many poor site admins who are forced by their bosses to unsleep blindly seeking for the threat source in their sites.
This is WAR for us....pls support!
If I ever have a chance to hack the RedKit server, I will do it for sure, undoubtedly.