According to data we recently published in the Microsoft Security Intelligence Report volume 12 (SIRv12), drive-by download attacks continue to be a favorite tactic used by many attackers attempting to compromise large numbers of systems around the world.  I have written about drive-by download attacks in the past (What You Should Know About Drive-By Download Attacks part 1, part 2) and the need to keep all software up-to-date in an effort to mitigate this type of attack.

In the second half of 2011 (2H11) there was a dramatic increase in detections of exploits delivered through JavaScript.  This increase was due primarily to the emergence of JS/Blacole, a family of exploits used by the so-called “Blackhole” exploit kit to deliver malicious software through infected web pages.

Figure 1: The number of unique systems reporting detections/blocks of HTML and JavaScript exploits via Microsoft antimalware products each quarter in 2011, source: SIRv12

Blacole is the name given to a family of malware that, when encountered, will use any number of available exploits to compromise a system.  Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets. It consists of a collection of malicious web pages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components. When the attacker installs the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack.

I can offer a real world example of what one such attack looks like.  The intended target of the attack received an email purportedly from a contact within a popular social network that they use.  Simply clicking on the link in the email labeled “Visit your InBox Now” triggered the antimalware software installed on the system to detect JS/Blacole, a detection for a component of the Blacole exploit kit.    

Figure 2: Example email containing a malicious link

Figure 3: The antimalware software installed on the system detected a component of the Blacole exploit kit

If the system did not have up-to-date antimalware software installed on it, the exploit server that the malicious link in the email pointed to would have likely attempted to exploit multiple known vulnerabilities until a successful compromise could be achieved and malware could be installed on the system. 

The Microsoft Malware Protection Center (MMPC) provides several other examples of this type of attack in articles they have published on their blog:

• Get gamed and rue the day
• Disorderly conduct: localized malware impersonates the police
• Plenty to complain about with faux BBB spam

As mentioned earlier, typically the Blacole exploit kit attempts to exploit vulnerabilities in applications such as Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components, including:

• CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
• CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
• CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
• CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code
• CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
• CVE-2009-4324 - Adobe Reader and Adobe Acrobat "util.printd" Vulnerability
• CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
• CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
• CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
• CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
• CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin
• CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
• CVE-2010-3552 - Sun Java Runtime New Plugin docbase Buffer Overflow (aka "Java Skyline exploit")
• CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
• CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability
• CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier

Notice the years reflected in the CVE numbers in the list above; many of the vulnerabilities that the exploit kit attempts to take advantage of are years old.

As I have written about previously (Millions of Java Exploit Attempts: The Importance of Keeping All Software Up To Date), vulnerabilities in Java continue to be a popular attack vector.  As in previous periods, many of the more commonly exploited Java vulnerabilities are several years old, as are the security updates that have been released to address them.  As seen in the figure below from SIRv12, the Java vulnerability with the most unique systems reporting exploit attempts in 2H11 was CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability.  This is one of the vulnerabilities that the Blacole exploit kit targets, as seen in the list above.

Figure 4: Unique computers reporting Java exploits each quarter in 2011

Table 1 below contains the top ten countries/regions where systems reported the most detections of the Blacole exploit kit in 2H11.  Many of the locations in Table 1 also reported the largest number of detections/blocks of CVE-2010-0840 exploit attempts during the same period as seen in Table 2.

Table 1: Top 10 locations with the most detections of Blacole in the second half of 2011 (2H11)

Table 2: Top 10 locations with the most detections of CVE-2010-0840 exploit attempts in the second half of 2011 (2H11)

The call to action includes:

• If you haven’t updated Java in your environment recently, you should evaluate the current risks.
• It is important to realize that multiple versions of Java may be installed on one system.  Upon deciding which version(s) to keep, be sure to explicitly remove all other versions deemed unnecessary.
• Keep all software in your environment up-to-date, not just Windows; assume attackers are targeting vulnerabilities in all prevalent software.
• Run antimalware software from a trusted vendor and keep it up-to-date.  As seen in the example I provided above, antimalware software can be helpful in mitigating this type of attack.
• Don’t get phished – avoid clicking on links and opening attachments received via email.

Tim Rains
Director, Trustworthy Computing