As I wrote in the last article we published, based on new data from the Microsoft Security Intelligence Report volume 13 (SIRv13), exploit activity has increased substantially over the past year: Exploit Activity at Highest Levels in Recent Times: The Importance of Keeping All Software Up To Date. The data I shared in that article illustrates just how much exploit activity has increased since the second quarter of 2011 (2Q11).

Figure 1 (left): Unique computers reporting different types of exploits, 1Q11–2Q12; Figure 2 (right): Top exploit families detected by Microsoft antimalware products in the second half of 2011 and first half of 2012, by number of unique computers with detections, shaded according to relative prevalence 

   

As seen in Figure 1, large increases in HTML/JavaScript exploit activity and Oracle Java exploit activity are major contributors to this trend.  As seen in Figure 2, the top threat family driving these detections is Blacole, also known as the “Blackhole” exploit kit. 

Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin.  This kit can be bought or rented on hacker forums and through other illegitimate outlets. The kit consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components (a full list is provided in Figure 3). When the attacker loads the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack.  I have written about this exploit kit before: The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date

Figure 3:  Specific vulnerabilities targeted by the Blacole exploit kit in the first quarter of 2012 (1Q12) and second quarter of 2012 (2Q12), by number of unique computers reporting detections of each one

 

All of the vulnerabilities listed in Figure 3 were addressed by security updates from the affected vendors between 2006 and 2012.  The most commonly detected Blacole exploits during both quarters targeted CVE-2010-1885, a vulnerability that affects the Windows Help and Support Center in Windows XP and Windows Server 2003; Microsoft issued Security Bulletin MS10-042 in July 2010 to address this issue.  CVE-2012-0507, a vulnerability in the Oracle Java Runtime Environment (JRE), was added to the Blacole kit in late March of 2012 and accounted for the second highest number of exploits attributed to the kit in 2Q12. CVE-2011-2110, a vulnerability in Adobe Flash Player, accounted for the second largest number of Blacole exploits detected in 1Q12 and the third largest number in 2Q12. Adobe released Security Bulletin APSB11-18 in June 2011 to address the issue. Blacole exploitation of CVE-2011-3544, a vulnerability in the Java Runtime Environment, is decreasing, as Blacole authors have shifted their focus to newer exploits; it accounted for the largest number of Blacole exploits detected in 1Q12, but fell 14.6% to ninth place in 2Q12. Oracle released a security update in October 2011 to address the issue.

Defending against Blacole exploits
We included some guidance in SIRv13 to help defend against exploitation by Blacole.  That guidance is provided to you here verbatim for convenience.

  • The Blacole exploit kit targets a large number of exploits in web browsers and browser plug-ins in an effort to infect vulnerable computers through drive-by download attacks. Effectively defending against Blacole exploits can be challenging for IT departments and individual users.
  • Many antimalware solutions can block the Blacole kit directly when it is detected, before any of the exploits included in the kit have a chance to work. Using an antimalware solution from a reputable provider and keeping it up to date provides some protection against exploitation even when vulnerable software is installed. For better protection, ensure that all of the software in your environment is up to date and that security updates from all relevant vendors are installed quickly after they are published.
  • IT departments can increase their level of protection against Blacole exploits by using intrusion detection and prevention systems (IDS/IPS) to monitor for and block exploitation of the vulnerabilities targeted by the kit, including the ones listed in Figure 11 on page 24 (same as Figure 3 in this article). Other vulnerabilities exploited by Blacole include CVE-2009-1671, CVE-2010-0842, CVE-2010-1423, CVE-2010-3552, and CVE-2012-4681. Configure your firewall to block any sites that have been compromised by the Blacole kit. Many enterprise firewall products use reputation services that can help automate the blocking of known malicious sites. If Blacole-related attacks are detected, use the detection telemetry to help you prioritize the deployment of security updates across your environment.

In years past it was rare to see an exploit in the top ten list of threats for a country/region.  In the second quarter of 2012 at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13.  Blacole is in the top ten lists of twenty-seven of these locations including Australia, Austria, Belgium, Canada, Chile, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Portugal, Russia, Spain, Sweden, Switzerland, Ukraine, United Kingdom, United States, and Uruguay.  Take steps to evaluate the risks in your environment and mitigate them as soon as possible.

Tim Rains
Director
Trustworthy Computing