Friday, 3 May 2013

RedKit: Initial payload URL decoding algorithm change - March 2013

The exploit kit has undergone some changes in March 2013. One of them is the algorithm for decoding initial payload URL. There is no longer a 'padding pattern' or a character order change. The parameter value that holds the encoded URL is now much shorter.

In the sample above the value of parameter 'name' represents the new format for the encoded URL. The characters in the string serve as indexes for other string 'buried' in RedKit Java code to look up the characters from yet another 'buried' string. See the code below to make more sense from the previous sentence.

The 'index' and 'lookup' strings seem to stay the same across RedKit samples seen since March 2013. The parameter value holding the encoded URL starts with "u33&299".

Update May 2013:

Another 'index' string seen:

'lookup' string stays the same though.

No comments:

Post a Comment