It’s unclear whether this is the rebirth of Blackhole, or a last hurrah before it disappears for good. “If that were the case, their goal would be to identify security crawlers and scanners and add them to a blacklist.” “It may be a trap designed to track down honeypots, which typically have lowered security settings and would not get updated as often as consumer machines,” he said. Other possible explanations exist, he said. Yet, a successful compromise delivered up-to-date malware that did not have recent detections on services such as VirusTotal. Portions of the program are being modified, but the current operation continues to use the same exploits, now ancient by Internet standards.Īt first, Malwarebytes’ researchers thought the attack may have been a prank, Segura said. The return of the Blackhole exploit kit, installed on a server in the Netherlands, is a mystery. “We saw that, after the author got arrested, there were still customers who tried to keep using it, but the exploits got stale because they were no longer being updated,” Segura said. While some criminals continued to use the software, the lack of new exploits meant that its effectiveness quickly declined, as security and software firms caught up to the code and users installed patches. In October 2013, Russian authorities arrested the alleged author of the Blackhole exploit kit, and soon after a service that provided updates to the malware shut down. The release of the code for the Zeus banking Trojan, for example, led to the release of a large number of modules that helped cyber-criminals more easily launch advanced campaigns. Publicly released attack code can help criminals by giving them a common software platform on top of which to innovate. They are Javascript code that provides an entry point to a system to initiate the next state. The code for both the Zeus cyber-crime kit and the Blackhole exploit kit were released in 2011 within weeks of each other. Exploit kits are pre-packaged sets of code and malware geared toward finding and taking advantage of common browser vulnerabilities. They are a basic building block for creating botnets and infecting users’ systems to steal information. “They will use older infrastructure and build on top of it.”Įxploit kits are software programs used by cyber-criminals to infect victims and install malicious software. “Blackhole was well-written, and we have seen in the past, like with Zeus, that a lot of criminals do not reinvent the wheel,” he said. The return of Blackhole suggests that cyber-criminals may be reusing the code, which was leaked in 2011, Jérôme Segura, senior security researcher for Malwarebytes Labs, told eWEEK. When Malwarebytes investigated, it found, behind the attacks, a poorly secured server that had Blackhole installed on it. Over the weekend, Malwarebytes detected attacks using older exploits for Oracle’s Java and Adobe’s Acrobat, but which attempted to deliver recently compiled malware. The worm, which spreads over network connections, thumb drives, and other removable media, accounted for nearly 15 percent of all infection attempts caught by Sophos in the last six months.The once-popular Blackhole exploit kit has returned, attempting to infect using old exploits but also showing signs of active development, according to researchers with security firm Malwarebytes. The country with the safest network: Luxembourg.Ĭonficker, the Windows worm also known as Downup and Kido, is still the most commonly detected malware in the world over three years after its first detection. The riskiest place to run a computer network in the world is Chile, measured by the percentage of computers experiencing a malware attack over a three month period, scoring a threat exposure rate (TER) of 61, nearly ten times the rate of attacks on systems in the US. India was the closest runner-up, at 8 percent. The US tops the world in sources of spam e-mails, accounting for 11.43 percent of 2011's detected traffic. Hackers typically use the exploit kit to drop malware such as botnets built with the Zeus toolkit, rootkits, or fake antivirus packages that coerce users to pay for fraudulent malware protection.Īmong the other security statistics in Sophos's report: The kit's developers continuously update Blackhole's exploit capabilities, which center on Java vulnerabilities, but Sophos says that many computers continue to have older vulnerabilities because of haphazard Java patch installation. And one drive-by exploit in particular accounts for 31 percent of the Web attacks detected by the company's security software in the second half of 2011-a package called Blackhole.īlackhole is an exploit kit used to inject malware onto PCs that visit an exploit site, or are redirected to such a site from another, compromised website. According to a new security report from Sophos, "drive-by" download attacks now constitute more than half of malware attacks on Web users.
0 Comments
Leave a Reply. |