A new private exploit kit has reportedly integrated the latest Java vulnerabilities.
The RedKit Exploit kit was sold on private underground criminal forums by customer request, and was used like other kits to compromise user machines.
A security researcher using the handle Kafeine revealed in a brief analysis that the kit had included the latest Java flaw (CVE-2012-4681), and was found on what appeared to be the compromised website of a small polish company.
Victims redirected to the infected page were greeted with a message that read “I want Porche Turbo”, a phrase Kafeine pointed out was similar to a landing page for the Gimemo randsomware kit.
Redkit was updated to take advantage of two vulnerabilities (patched hours ago) used in an exploit that surfaced last week. The infected RedKit jar file was detected by two out of 41 anti-virus vendors on Virus Total.
Immunity developer Esteban Guillardoy said in an analysis that the vulnerability class “provides 100 per cent reliability and is multi-platform” and would become “the penetration test Swiss knife for the next couple of years”.
Spiderlabs analysts found and named Redkit in May this year during regular research. Customers could sign up and get a demonstration of the toolkit by submitting a form hosted on a compromised webpage.
The privately-sold kit was rising in popularity and contained similar exploits to rival crimeware kits BlackHole and Phoenix, which included the Java AtomicReferenceArray vulnerability (CVE-2012-0507) identified in May
BlackHole was quick to incorporate the exploits and had wreaked havoc while the vulnerability remained unpatched this week.
It presented a much greater threat than RedKit because of its popularity. Securelet researchers pointed out that more than BlackHole was behind 85 per cent of exploit kit infections
“Usually, a good exploit kit like BlackHole has a success rate of around 10 per cent for infecting machines visiting the servers. In the new version of BlackHole infection servers, we have seen up to a 25 per cent success rate,” Securelet wrote in a blog.
“Furthermore, statistics show that Java exploits in BlackHole servers are 75 to 99 percent successful”.