Will the Sweet Orange exploit kit dethrone Blackhole?

There’s a new exploit kit being offered for sale and it seems to be slowly but surely gaining in popularity.

Dubbed Sweet Orange, the kit uses exploits for Java, PDF, IE and Firefox vulnerabilities, and is regularly updated.

The kit’s sellers claim that it has a high infection rate, as supposedly 10 to 25 percent of the users that visit pages hosting it will get compromised, but according to BlueCoat researchers, users of underground forums say that the top number reaches only 15 percent.

Still, the sellers apparently guarantee that 150,000 unique visitors will visit the buyers’ site daily, which means that, in theory, at least 10,000 machines could be infected every day.

As the kit is currently hosted on 45 different IP addresses / 267 different domains, the aforementioned claims of 150,000 unique visitors sounds realistic.

And unfortunately for potential victims, a variety of online virus scanners does not detect the IP addresses and domains used by the kit as malicious.

“Only 7 of the 20 domains were caught by any of the vendors on VirusTotal: three by one vendor, and four by another, or an average of 0.35 hits per domain,” BlueCoat’s Chris Larsen pointed out. “It got worse when I checked the IP addresses. There were zero hits on any of the 20.”