Blackhole exploit kit

Last updated

The Blackhole exploit kit was, as of 2012, the most prevalent web threat, where 29% of all web threats detected by Sophos and 91% by AVG are due to this exploit kit. [1] Its purpose is to deliver a malicious payload to a victim's computer. [2] According to Trend Micro the majority of infections due to this exploit kit were done in a series of high volume spam runs. [3] The kit incorporates tracking mechanisms so that people maintaining the kit know considerable information about the victims arriving at the kit's landing page. The information tracked includes the victim's country, operating system, browser and which piece of software on the victim's computer was exploited. These details are shown in the kit's user interface. [4]

Contents

History

Blackhole exploit kit was released on "Malwox", an underground Russian hacking forum. It made its first appearance in 2010. [5]

The supposedly Russian creators use the names "HodLuM" and "Paunch". It was reported on October 7, 2013 that "Paunch" had been arrested. [6]

Dmitry "Paunch" Fedotov was sentenced to seven years in a Russian penal colony on April 12, 2016. [7]

Function

  1. The customer licenses the Blackhole exploit kit from the authors and specifies various options to customize the kit.
  2. A potential victim loads a compromised web page or opens a malicious link in a spammed email.
  3. The compromised web page or malicious link in the spammed email sends the user to a Blackhole exploit kit server's landing page.
  4. This landing page contains obfuscated JavaScript that determines what is on the victim's computers and loads all exploits to which this computer is vulnerable and sometimes a Java applet tag that loads a Java Trojan horse.
  5. If there is an exploit that is usable, the exploit loads and executes a payload on the victim's computer and informs the Blackhole exploit kit server which exploit was used to load the payload.

Defenses

A typical defensive posture against this and other advanced malware includes, at a minimum, each of the following:

See also

Related Research Articles

<span class="mw-page-title-main">Malware</span> Portmanteau for malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy. By contrast, software that causes harm due to some deficiency is typically described as a software bug. Malware poses serious problems to individuals and businesses on the Internet. According to Symantec’s 2018 Internet Security Threat Report (ISTR), malware variants number has increased to 669,947,865 in 2017, which is twice as many malware variants as in 2016. Cybercrime, which includes malware attacks as well as other crimes committed by computer, was predicted to cost the world economy $6 trillion USD in 2021, and is increasing at a rate of 15% per year.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack vector may be exploited manually, automatically, or through a combination of manual and automatic activity.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Drive-by download</span> Computer security exploitation

Drive-by download is of two types, each concerning the unintended download of computer software from the Internet:

  1. Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences.
  2. Unauthorized drive-by downloads are downloads which happen without a person's knowledge, often a computer virus, spyware, malware, or crimeware.

Webattacker is a do-it-yourself malware creation kit that includes scripts that simplify the task of infecting computers and spam-sending techniques to lure victims to specially rigged Websites. It was allegedly created by a group of Russian programmers. The kit demands minimal technical sophistication to be manipulated and used by crackers.

<span class="mw-page-title-main">Rogue security software</span> Form of malicious software

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

In computer security, MPack is a PHP-based malware kit produced by Russian crackers. The first version was released in December 2006. Since then a new version is thought to have been released roughly every month. It is thought to have been used to infect up to 160,000 PCs with keylogging software. In August 2007 it was believed to have been used in an attack on the web site of the Bank of India which originated from the Russian Business Network.

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Man-in-the-browser, a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software; this approach scored a 23% success rate against Zeus in 2009 and still low rates in a 2011 report. The 2011 report concluded that additional measures on top of antivirus software were needed.

Form grabbing is a form of malware that works by retrieving authorization and log-in credentials from a web data form before it is passed over the Internet to a secure server. This allows the malware to avoid HTTPS encryption. This method is more effective than keylogger software because it will acquire the user’s credentials even if they are input using virtual keyboard, auto-fill, or copy and paste. It can then sort the information based on its variable names, such as email, account name, and password. Additionally, the form grabber will log the URL and title of the website the data was gathered from.

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

OSX.FlashBack, also known as the Flashback Trojan, Fakeflash, or Trojan BackDoor.Flashback, is a Trojan horse affecting personal computer systems running Mac OS X. The first variant of Flashback was discovered by antivirus company Intego in September 2011.

The Java platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP.

References

  1. Howard, Fraser (March 29, 2012). "Exploring the Blackhole exploit kit: 4.1 Distribution of web threats". Naked Security. Sophos . Retrieved April 26, 2012.
  2. Howard, Fraser (March 29, 2012). "Exploring the Blackhole exploit kit: 2.3.4 Payload". Naked Security. Sophos . Retrieved April 26, 2012.
  3. "Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs" (PDF). Trend Micro. July 2012. Retrieved October 15, 2013.
  4. "The State of Web Exploit Kits" (PDF). Black Hat Briefings. August 2012. Retrieved October 15, 2013.
  5. "Meet Paunch: The Accused Author of the BlackHole Exploit Kit — Krebs on Security". krebsonsecurity.com. Retrieved 2018-03-30.
  6. "Blackhole Exploit Kit Author "Paunch" Arrested". Security Week. October 8, 2013. Retrieved October 15, 2013.
  7. Krebs, Brian (April 14, 2016). "'Blackhole' Exploit Kit Author Gets 7 Years". Krebs on Security. Retrieved April 20, 2016.