French researcher Kafeine, who two months ago provided an analysis of the Cool exploit kit, has now published details of a new toolkit. Offered for sale on an underground forum by reddot@jabbim.com since December 21, 2012, the toolkit is unsurprisingly called Red Dot. It runs on the Apache web server with ‘mod-rewrite’, and requires PHP 5.3 or higher and MySQL 5.1 or higher.
Reddot’s forum advert includes a screenshot of the statistics that the toolkit provides. This includes a breakdown of successful infections by operating system, country, browser and exploit. There is no way of knowing whether this is a genuine live screenshot, or one made up for the advert. However, according to the statistics shown, Windows 7 is the most vulnerable operating system, the US is the most successfully infected location, Safari is the most exploited browser, and ‘Java jax-ws’ and ‘Java atomic’ are the two successful exploits.
Old exploits are not included in the toolkit because they aren’t sufficiently effective and leave warning signs. New exploits will be, however, “promptly added to the bunch.”
According to Kafeine, Red Dot is currently being used to distribute the Urausy ransomware. Urausy has a high degree of localization, aimed primarily at European countries (the UK version claims to come from the Police Central e-crime Unit), but versions targeting the US and Australia have also been found.