Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
According to data we recently published in the Microsoft Security Intelligence Report volume 12 (SIRv12), drive-by download attacks continue to be a favorite tactic used by many attackers attempting to compromise large numbers of systems around the world. I have written about drive-by download attacks in the past (What You Should Know About Drive-By Download Attacks part 1, part 2) and the need to keep all software up-to-date in an effort to mitigate this type of attack.
Blacole is the name given to a family of malware that, when encountered, will use any number of available exploits to compromise a system. Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets. It consists of a collection of malicious web pages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components. When the attacker installs the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack.
I can offer a real world example of what one such attack looks like. The intended target of the attack received an email purportedly from a contact within a popular social network that they use. Simply clicking on the link in the email labeled “Visit your InBox Now” triggered the antimalware software installed on the system to detect JS/Blacole, a detection for a component of the Blacole exploit kit.
Figure 2: Example email containing a malicious link
Figure 3: The antimalware software installed on the system detected a component of the Blacole exploit kit
If the system did not have up-to-date antimalware software installed on it, the exploit server that the malicious link in the email pointed to would have likely attempted to exploit multiple known vulnerabilities until a successful compromise could be achieved and malware could be installed on the system.
The Microsoft Malware Protection Center (MMPC) provides several other examples of this type of attack in articles they have published on their blog:
As mentioned earlier, typically the Blacole exploit kit attempts to exploit vulnerabilities in applications such as Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components, including:
Notice the years reflected in the CVE numbers in the list above; many of the vulnerabilities that the exploit kit attempts to take advantage of are years old.
As I have written about previously (Millions of Java Exploit Attempts: The Importance of Keeping All Software Up To Date), vulnerabilities in Java continue to be a popular attack vector. As in previous periods, many of the more commonly exploited Java vulnerabilities are several years old, as are the security updates that have been released to address them. As seen in the figure below from SIRv12, the Java vulnerability with the most unique systems reporting exploit attempts in 2H11 was CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability. This is one of the vulnerabilities that the Blacole exploit kit targets, as seen in the list above.
Figure 4: Unique computers reporting Java exploits each quarter in 2011
Table 1 below contains the top ten countries/regions where systems reported the most detections of the Blacole exploit kit in 2H11. Many of the locations in Table 1 also reported the largest number of detections/blocks of CVE-2010-0840 exploit attempts during the same period as seen in Table 2.
Table 1: Top 10 locations with the most detections of Blacole in the second half of 2011 (2H11)
Table 2: Top 10 locations with the most detections of CVE-2010-0840 exploit attempts in the second half of 2011 (2H11)
The call to action includes:
Tim Rains Director, Trustworthy Computing