We started seeing this exploit kit in our systems on November 21st.  It has some similarities to Redkit and the Dotcache exploit kit.
 Cookiebomb redirection to:

192.168.0.58    1044    173.237.187.203 80      GET                     173.237.187.203 /cnt.php?id=786629      Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

173.237.187.203 80      192.168.0.58    1044            301     text/html

Which bounces you over to:
 Landing:
192.168.0.58    1046    192.185.32.90   80      GET                     vinnypedulla.com        /2013/11/11/21/2013/downloader.php?page_seed=xhtml      Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

192.185.32.90   80      192.168.0.58    1046            200     text/html

This is the JNLP bypass in an xml.
192.168.0.58    1048    192.185.32.90   80      GET                     vinnypedulla.com        /5/201311/browser.xml   Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_16

192.185.32.90   80      192.168.0.58    1048            200     text/xml

Cve: 2012-0507
192.168.0.58    1048    192.185.32.90   80      GET             application/x-java-archive      vinnypedulla.com        /5/201311/browser.jar   Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_16

192.185.32.90   80      192.168.0.58    1048            200     application/java-archive
 Payload
192.168.0.58    1049    192.185.32.90   80      GET                     vinnypedulla.com        /5/201311/014146.mp3    Java/1.6.0_16

192.185.32.90   80      192.168.0.58    1049            404     text/html

At the time of this investigation, the Payload 404'ed.

I'll update this blog post as more information becomes available.

Update:  After further research, it appears the structure for the URLs doing the download of the jar and jnlp files is dynamic in some way.  However, we are seeing this exploit kit now drop a XOR'd binary of Zeroaccess.  Please ensure you have VRT rule 26524 enabled, as that will detect the JWS bypass section of this exploit kit. If in IPS mode, it should stop this kit from working.  
 Update-2: Added some clarification around the Cookiebomb bump.  Detected 60 installs of this yesterday.