A new exploit kit hit the scene recently, and according to Arseny Levin of Spiderlabs, the RedKit exploit kit contains an API that generates new host-site URLs every hour.
The authors of the kit haven’t named it, so Levin and Spiderlabs simply chose to call it RedKit in reference to its color scheme.
RedKit’s most salient feature is the API that creates a fresh attack URL every hour. This feature will make it incredibly difficult to reliably block RedKit infected sites. The kit also has a feature that allows its users to upload an executable and test it against 37 different antivirus solutions.
As of now, Levin writes that RedKit is exploiting two popular (and patched) vulnerabilities. One is an obfuscated PDF file that exploits the LibTIFF vulnerability (CVE-2010-0188), and the other is an AtomicReferenceArray Java vulnerability (CVE-2012-0507), the same one used by the Flashback trojan.
Levin believes that RedKit’s authors will have to add new exploits to their kit sometime soon if they hope to keep up with the industry standard Blackhole and Phoenix exploit kits.
Researchers from SpiderLabs found the RedKit on some compromised church website where the kit was being promoted by a banner ad. Users that clicked the ad were redirected to a page that requested their Jabber username. In this way, Levin claims, the RedKit developers can easily pick and choose which individuals they sell their services to.
You can read the SpiderLabs analysis here.