Analysis of Redkit vulnerability exploitation package in the Boston bombing

Redkit participated in recent spam hacking activities on the NBC website and the Boston bombing. Security experts analyzed that it may be being targeted at the use of WEB servers (such as Apache and Nginx), and may be installed on the server itself for theft.

First, let's see how redkit works:

When a victim browses a Web site that has been exploited by an attacker, it is usually redirected to an attack carrier. This redirection has several different phases, but over the last few months Sophos security companies have found TROJ/IFRAME-JG blocks to be used frequently.

The following figure shows that the iframe injection page is easy to see:

The initial redirection (usually an iframe) to another legal site, but its server has been cracked (this is the first-stage redirection ). Then redirect to the root interface of the target Web server on a 4-character. htm or. html page. For example:

Compromised_site.net/dfsp.html

Compromised_site.com/zpdb.html

Respond to an HTTP301 redirection from this redirection (this is the second-stage redirection ).

Redirection: the attacker is directed to the used Web server, which adds a 4-digit. htm or. html page.

In this case, malicious content is loaded with malicious JAR files on a login page to launch attacks.

However, Redkit only targets JAVA Vulnerabilities.

Currently, the logon pages are slightly different, for example, using JNLP (java Network loading Protocol ):

For victims, malicious content is transmitted by intruding into the web server (second-stage redirection. However, later I found that the content will never be stored on the Web server.

On the contrary, redkit uses the compromised web server to load a PHP shell for management. The PHP shell is responsible:

Redirects the first stage of the bullet to another server (randomly selected ). PHP shell connects to a remote command control (C & C) server of redkit to obtain a list of other malicious websites (updated every hour.

Provides malicious login pages and JAR content to victims. Is this loaded from the disk? Instead, it is downloaded through the C & C server HTTPS (using curl ). Therefore, PHP shell basically acts as a proxy for malicious content.

PHP shell Troj/PHPRed-

The PHP shell works with A. htaccess file to guide the necessary PHP scripts for incoming HTTP requests (4 characters htm/html file.

The following figure shows this point.