Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, March 01, 2013

Blackhole Exploit Kit Run Adopts Controversial Java Flaw

A perfect example of this prediction is how Blackhole Exploit Kit continuously attempts to circumvent the efforts done by the security industry.  True enough, we recently received reports of a Blackhole Exploit Kit (BHEK) run that incorporated an exploit (detected by Trend Micro as JAVA_ARCAL.A) targeting the recently patched CVE-2013-0431. When users click the item number indicated in these messages, they are led to several redirecting sites until they arrive at the page hosting the encrypted BHEK code. In the testing we did, the BHEK code found certain versions of Adobe Reader, which prompted it to download and execute a malicious. This BHEK code also downloads and executes JAVA_ARCAL.A from a specific page after checking the Java version of the infected system.  JAVA_ARCAL.A then downloads and executes TSPY_FAREIT.MEX by using command.exe in the PATH %user% in a specific URL. ...  At the end of the infection chain, this BHEK code will access the malicious page below to lead users into thinking that they’re just redirected to a seemingly non-malicious website.

Using Trend Micro Smart Protection Network™ data, we looked into the most affected countries by this BHEK run and got some interesting results.

For the spam component of this threat, it is also crucial for users and security administrators alike to realize that the usual spam and phishing best practices are not effective to address BHEK spam runs.  We previously released our report Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs, which goes into details about our finding regarding the BHEK runs.


Posted on 03/01