Forgot your password?
typodupeerror
Crime Security IT

Blackhole Exploit Kit Gets an Upgrade 43

Posted by timothy
from the so-dense-not-even-light-browsing-can-escape dept.
wiredmikey writes "The popular Blackhole exploit kit, assumed to be created and maintained by an individual going by the online moniker of 'Paunch,' who continuously updates the browser exploit software, looks like it has just received another upgrade. The exploit works by infecting a user when they visit a Blackhole-infected site, and their browser runs the JavaScript code, usually via a hidden iframe. If the location or URL for the malicious iframe changes or is taken down, all of the compromised sites will have to be updated to point to this new location, making it hard for the attackers. To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains, based on the date and other information, and then creates an iframe pointing to the generated domain. Moreover, the kit's recent upgrade also added a new attack. According to Sophos, sometime in early June Blackhole was updated to include an attack that targets a flaw in Microsoft's XML Core Services, which remains unpatched. Unfortunately, the changes prove once again that the criminal economy online is alive and well."
This discussion has been archived. No new comments can be posted.

Blackhole Exploit Kit Gets an Upgrade

Comments Filter:
  • Does that mean Windows Firefox users are ostensibly safe? I don't know what library firefox uses for xml parsing.

  • Firefox + NoScript (Score:4, Insightful)

    by Anonymous Coward on Tuesday July 03, 2012 @09:40AM (#40526871)

    Problem fecking solved. Nobody should be running without a script blocker in this day and age.

    • by lostsoulz (1631651) on Tuesday July 03, 2012 @09:45AM (#40526929)

      Broadly agreed, but t'Internet is a woeful mess of script upon script upon script. I use NoScript, Ghostery, AdBlock Plus and HTTPS Everywhere...but sometimes find well-known sites that still b0rk until I reconfigure an addon.

    • by JDG1980 (2438906) on Tuesday July 03, 2012 @11:54AM (#40529007)

      If you run NoScript, essentially every web site in existence is broken by default and has to be whitelisted. If you get into the habit of auto-allowing everything, you're no safer than you would be without it installed, and if you don't, then you have to manually spend 5 minutes picking and choosing which scripts you have to enable for the page to work.

      • by Trilkin (2042026)

        More like 10 seconds. It's a compromise worth the time.

      • that's why i prefer "request policy" much more than noscript, i dont use noscript.

        with "request policy" it blocks any external resources, and allows any script being loaded or run from the same domain you're visiting. malicious adds and scripts are always external, and you're safe. with many sites, like slashdot, you have external elements and scripts from a domain being used as CDN, you can whitelist it in 2 clicks, and keep the rest blocked. very easy, and maintains compatibility and security.

    • by trifish (826353)

      No problem isn't solved. But believe whatever you want.

  • by Anonymous Coward

    Unfortunately, the changes prove once again that the criminal economy online is alive and well.

    Just in case you were living under a rock in fantasyland with the cyber fairies where the robot unicorns roam free unhampered by criminals...

    • by slyrat (1143997)

      Just in case you were living under a rock in fantasyland with the cyber fairies where the robot unicorns roam free unhampered by criminals...

      You leave my robot unicorns out of this!

  • by trifish (826353) on Tuesday July 03, 2012 @09:42AM (#40526901)

    Before a knee jerk posts "I use NoScript -- I'm safe!"...

    This doesn't mean that JavaScript is insecure. It just means there's an exploitable unpatched vulnerability in JS in some browser. The fact that this malware uses JavaScript + iframe doesn't mean JavaScript is inherently insecure or less secure than bare HTML.

    And now the worst news of all for you: the HTML engine (or any other portion) of the browser can and often does contain exploitable unpatched vulnerabilities. So even if you disable JavaScript you can get infected.

    The bottom, line the best way to protect yourself is honor the following three golder rules:

    1. Keep your browser and OS updated with security fixes.

    2. Don't visit suspicious websites and don't open suspicious email attachments.

    3. Use a good antivirus that monitors your internet traffic.

    Profit?

    • by plover (150551) *

      You're a couple posts behind staving off the knee jerks. However, the safety of NoScript isn't the primary reason I run it. It's the crap that third party scripts "add to browsing experience" that I find useless at best; distracting in most cases of advertising; and tracking sites that are actively harmful to my privacy as well as to the accuracy of the web in general because their results are used by marketers to manipulate search engine results via their SEO activities.

      And I would argue against your ass

      • by Inda (580031)
        NoScript. How can you view the WWW with that installed?

        I installed it. Visited a dozen of my favourite sites. Whitelisted half of them, because I trust them. OK so far.

        It's the new sites where the problems start. Google says, on the top result, I can convert XYZ online, using forms. Excellent. Only that functionality no longer exists. Maybe the site is broken. Maybe Google is mistaken. Maybe I'll look at the source. Maybe I'll try the next site.

        I'm struggling to think of the exact reason I uninstalled it; i
        • by plover (150551) * on Tuesday July 03, 2012 @10:49AM (#40527807) Homepage Journal

          Funny, I often wonder how so many people can view with the WWW without NoScript installed! Zooming up fake windows, continually scrolling sidebars, attack ads, "do you want to chat with a representative online" boxes, it seems like there are usually about three things to dismiss before even uncovering most content.

          However, I'd certainly agree that NoScript is not for the uninitiated. It doesn't pass the mom test, or even the wife test. Most people just want things to work, and are willing to put up with whatever crap they're served in order to get it. I'm willing to view the static content, and if there's something deeper to explore, I understand up front that I might have to whitelist a few things to get it to work. Note that you can configure NoScript to automatically permit scripts originating from "base 2nd level domains" (i.e. allow everything from *.foobar.com when you're on www.foobar.com), which generally enables local content to work just fine, while still preventing XSS nonsense. The only place where I commonly run into trouble is with video content, as it's generally hosted somewhere else like Vimeo or YouTube, and with third party SSO providers like Yahoo. In all, over many years of browsing I've added some margin of trust for about a hundred sites which seem to have taken care of most of those issues.

          • by plover (150551) *

            Oh, and I forgot to mention the most important recovery method: if it's too hard to view, it's just the freakin' web - I go back to my search results and find the info on a different site. There are usually dozens of other sites willing to provide me the information without making me endure their JavaScript stupidity.

    • This doesn't mean that JavaScript is insecure. It just means there's an exploitable unpatched vulnerability in JS in some browser. The fact that this malware uses JavaScript + iframe doesn't mean JavaScript is inherently insecure or less secure than bare HTML.

      This is the wrong way to see this. A markup language that generates a static DOM (from which a GUI is rendered) is inherently more secure than a programming language that has access to a large set of supposedly sandboxed API's in that, while both can have vulnerabilities, the latter has considerably more "surface" to attack. Exploits may leverage one-off, soon-to-be-patched bugs to do their nasty work, but--statistically speaking--these bugs are going to arise more often in the more complex piece of softwar

    • >1. Keep your browser and OS updated with security fixes.
      Useless, this is based on a flawed model from the beginning, the OS will always be unsecure,
      as it does not follow military grade standards, and the population will always be left to use inferior products

      >2. Don't visit suspicious websites and don't open suspicious email attachments.
      They do not know in advance if a site is suspicious....until someone detects it...
      I can also write javascript code that morphs continuously so that no entity (google)

    • by Crag (18776)

      And now the worst news of all for you: the HTML engine (or any other portion) of the browser can and often does contain exploitable unpatched vulnerabilities. So even if you disable JavaScript you can get infected.

      I was going to call "citation needed", but then I Googled around and found an example [metasploit.com].

      The bottom, line the best way to protect yourself is honor the following three golder rules:

      1. Keep your browser and OS updated with security fixes.

      2. Don't visit suspicious websites and don't open suspicious email attachments.

      3. Use a good antivirus that monitors your internet traffic.

      Profit?

      I'm not a fan of antivirus software, but otherwise I completely agree. Defense-in-depth is the only defense.

    • by iiiears (987462)

      How many ad servers do you contact with each page visited?

      How motivated would attackers be to compromise any ad server?

  • We are seeing every day criminal use of economy, online or not, should not be so surprising.
  • This was a senseless attack on my website (www.silversash.com). I was providing an Oracle DBA/Developer tool for free. I had to spend weeks trying all different things to clean it up. Ultimately I wiped out the entire contents and rebuilt the website. May this guy turn into a leper with gnarly fingers !!

Receiving a million dollars tax free will make you feel better than being flat broke and having a stomach ache. -- Dolph Sharp, "I'm O.K., You're Not So Hot"

Working...