Downloader.Ponik Seeks Long Term Relationship

Contributor: Jeet Morparia

Online dating is big business. In 2012, 40 million people visited or used an online dating site in the United States. According to some statistics, the online dating industry is worth over $1 billion dollars. Others say it is worth over $3 billion globally. The fact is that online dating is a lucrative industry, so it should come as no surprise that it is also on the radar for cybercriminals.

Figure 1. Downloader.Ponik spam campaign world map

One of the most recent malicious spam campaigns we encountered used online dating as its lure. While broad in scope, targeting users around the world, this campaign was largely focused on users in the United States, the United Kingdom, and Australia.

Figure 2. Sample Downloader.Ponik dating spam email

The email messages used in the campaign claims to be from someone named “Kat” with varying subject lines:

  • It’s a pleasure to meet you here
  • Write me again, ok? I really need your advice
  • How are you today? What are you doing now?
  • You dont know me, so Im here to fix it!
  • Hey how are you?
  • Hello there!
  • Im glad to see you!
  • Hola!
  • How do you do?

The body of the message is identical in each email:

Hello from Kat. I got some information about you from a=dating site. I found out that you are looking for a woman for LTR. I’m expec= to find a perfect match. Also I wish to exchange photos with you and may=e try to know you better. I will be waiting for your reply with impatience.

It is interesting to note that the emails claim that they obtained information on the target through an online dating site.

Attached to each message is a file named, which contains a threat that we detect as Downloader.Ponik. Downloader.Ponik is known for bringing some baggage with it. This particular version of Downloader.Ponik downloads the following malware:

As always, be careful when opening attachments in emails from unknown sources. I think it is safe to say that this is one long-term relationship you don’t want to get involved in.

Red Kit an Emerging Exploit Pack

Exploit kits are toolkits that are used to build malware components such as binaries and scripts. They automate the exploitation of client-side vulnerabilities, targeting browsers and programs.

These exploit kits provide an effective way for cybercriminals to distribute malware without the users consent. Among these kits, the Blackhole exploit kit is one of the most prevalent. Now another kit has gained the attention of the security research community. McAfee Labs has observed an increase in the use of the Red Kit exploit kit. The Red Kit targets vulnerabilities in applications such as Java and Adobe Reader.


Overview of an attack.

As shown in the preceding image, the infection starts when a user visits a compromised website, which contains the link to a Red Kit landing page. The link of the compromised web page may arrive via email as part of a spam campaign to lure the user into clicking the malicious link.



The landing page appears similar to that of Blackhole. It uses plug-in detection code (Version 0.7.7) to identify the version of the browser plug-ins installed in the system:


Plug-in detects Version 0.7.7.

We have observed that the Red Kit uses different URL patterns for its landing pages. Some of them follow:

  • hxxp://[domain name]/ewci.htm
  • hxxp:// [domain name]/hmod.html
  • hxxp:// [domain name]/mhes.html
  • hxxp:// [domain name]/hmpu.html
  • hxxp:// [domain name]/asjs.html
  • hxxp:// [domain name]/aces.htm
  • hxxp:// [domain name]/aoef.htm

Also, the landing page has the code to download malicious .jar and .pdf files. These files target the vulnerabilities CVE 2012-1723 and CVE 2010-0188.


A Red Kit landing page.

This exploit kit uses a unique URL pattern for downloading the .jar and .pdf files:

  • hxxp://[domain name]/332.jar
  • hxxp://[domain name]/887.jar
  • hxxp://[domain name]/987.pdf

The payloads of the .jar and .pdf files are also downloaded from unique URL patterns:

  • “332.jar”  downloads payload from  “hxxp://[domain name]/33.html”
  • “887.jar”  downloads payload from  “hxxp://[domain name]/41.html”
  • “987.pdf” downloads payload from  “hxxp://[domain name]/62.html”

The final payloads are identified as a downloader that delivers additional payloads from the remote server.

How to prevent this attack:

  • Blocking the URL patterns we have noted is one efficient way to prevent this attack. However, the landing page URL patterns are constantly changing. Nonetheless, the payload URL patterns have remained the same for all malicious domains we have seen.
  • In spite of the availability of patches for known vulnerabilities such as CVE2012-1723 and CVE2010-0188, this exploit kit still targets these vulnerabilities. McAfee recommends that you update to the latest patches available for Java and Adobe Reader.
  • We advise our customers to pay extra caution when opening unsolicited emails and unknown links.

McAfee products detect these exploits as “JS/Exploit.Rekit.”