Refresh HTTP header in EK Landing Page, or “200% success attack”


Yesterday,  some brief review of casual threat draw my attention by serving two different Exploit Kits  landing pages thru one include.

Actually, its not new, because there was multiple attempts to increase surface of attack by bot-masters.

Among those methods:

1. Include different injections into hacked server webpages [lame, but worked :)]

2. Use legit or barely-legit TDS (Sutra\SimpleTDS) to route traffic based on internal rules to different Exploit Kits page

3. Using various client-server solutions (scripts with embedded algorithm of traffic forward) with internal capability of routing traffic.

Here is another one 🙂 And it based on very popular in marketing formula “2 in 1”

Look at recent response from Exploit Kit (RedKit in this case)

GET h00p://

Ok, You say, what interesting in this (yeah-yeah, some changes in RedKit landing page, I saw them too 🙂 ) look at HTTP header!

Refresh: 20; URL=h00p://link_2_malware.domain/links/1.php

This is something new (for me, at least).

Let’s look at HTTP_Headers cheat sheet.

So, in simple words it command to browser: stay on this page 20 seconds, then move to next link.

Next link is BlackHole2 EK, that lead us to Kelihos.F variants  droppers.

Technically, it not route traffic between different ExploitKits, it literally infect victim twice:

1. Redkit Drop it’s payload in first 20 seconds.

2. After 20 seconds, victim redirected to BlackHole2 EKand infected again.

Have to say, that it’s common practice, to rent “installs” of malware on infected machines, to increase “return” ratio. But method is new, so be aware and stay protected 🙂

Stay Safe!





Leave a comment