We started seeing this exploit kit in our systems on November 21st. It has some similarities to Redkit and the Dotcache exploit kit.
Cookiebomb redirection to:
192.168.0.58 1044 173.237.187.203 80 GET 173.237.187.203 /cnt.php?id=786629 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
173.237.187.203 80 192.168.0.58 1044 301 text/html
Which bounces you over to:
Landing:
192.168.0.58 1046 192.185.32.90 80 GET vinnypedulla.com /2013/11/11/21/2013/downloader.php?page_seed=xhtml Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
192.185.32.90 80 192.168.0.58 1046 200 text/html
This is the JNLP bypass in an xml.
192.168.0.58 1048 192.185.32.90 80 GET vinnypedulla.com /5/201311/browser.xml Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_16
192.185.32.90 80 192.168.0.58 1048 200 text/xml
Cve: 2012-0507
192.168.0.58 1048 192.185.32.90 80 GET application/x-java-archive vinnypedulla.com /5/201311/browser.jar Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_16
192.185.32.90 80 192.168.0.58 1048 200 application/java-archive
Payload192.168.0.58 1049 192.185.32.90 80 GET vinnypedulla.com /5/201311/014146.mp3 Java/1.6.0_16
192.185.32.90 80 192.168.0.58 1049 404 text/html
At the time of this investigation, the Payload 404'ed.
I'll update this blog post as more information becomes available.
Update: After further research, it appears the structure for the URLs doing the download of the jar and jnlp files is dynamic in some way. However, we are seeing this exploit kit now drop a XOR'd binary of Zeroaccess. Please ensure you have VRT rule 26524 enabled, as that will detect the JWS bypass section of this exploit kit. If in IPS mode, it should stop this kit from working.
Update-2: Added some clarification around the Cookiebomb bump. Detected 60 installs of this yesterday.