Kaspersky Lab’s experts examined how computers were infected with the help of the BlackHole exploit pack, which it says is one of the most popular packs of its kind on the market.
The BlackHole pack includes exploits targeting vulnerabilities in Adobe Reader, Adobe Flash Player, Oracle Java and other popular software, and because the operation of all exploit packs relies on what is essentially the same algorithm, Kaspersky says its experts picked three Java exploits from BlackHole to illustrate the working principles of exploit packs.
“In the last 12 months alone, over 161 vulnerabilities in Java Environment Runtime were detected. This provides a wide platform from which to exploit vulnerabilities across OS versions, web browsers, installed plugins, and other configurations,” Sam Bryce-Johnson, Kaspersky Lab’s Australian-New Zealand Technical Manager said.
• Blocking the start page of the exploit pack (i.e. the first page of the exploit pack after the user is redirected from a legitimate site)
• Detection using file antivirus (if the user nonetheless reaches the start page of the exploit pack)
• Signature-based exploit detection (in case the security solution failed to detect the start page of the exploit pack)
• Proactive exploit detection (used if all signature-based security components fail to detect anything malicious while scanning the contents of the exploit pack, and the exploit manages to launch), and
• Detection of malicious downloads (if the exploit manages to escape detection, it attempts to download a malicious payload and launch it on the victim computer).
Vyacheslav Zakorzhevsky, Head of the Vulnerability Research Group at Kaspersky, said that the problem of ‘black holes’ remains relevant despite both the availability of studies into the infection mechanism of exploit packs, as well as the comprehensive solutions offered by security vendors.
“End users typically do not rush to install updates, and cybercriminals seize the initiative by creating new malicious programs to attack known vulnerabilities.”
Kaspersky researchers also uncovered a trend which attackers use to prevent the exploit pack’s contents from falling into the hands of experts at anti-malware companies and other researchers. To avoid exposure, cybercriminals may ‘blacklist’ IP addresses used by research companies - such as crawlers, robots, and proxy servers - to block exploits from launching on virtual machines.
For the complete report on how a computer can be infected using the BlackHole exploit kit and the relevant protection mechanisms that can be employed, visit securelist.com