Inside the Blackhole: Exploit Kit Adds Java Vulnerability

The minds behind the Blackhole exploit toolkit have updated it with an exploit targeting a recently patched vulnerability in Java.

According to reports, CVE-2012-1723, which was patched by Oracle in June, has now been added into the mix.  The update is yet another move in the evolution in the kit, which last month added the ability to use pseudo-random domain generation to make campaigns more resilient.

Since its emergence in late 2010, the kit’s makers have made a living off a mix of Adobe Flash Player, Java and Windows vulnerabilities. Today, Blackhole is perhaps the most popular toolkit on the cyber-underground, accounting for nearly 40 percent of all toolkits detected on the Web by security firm AVG Technologies in the first quarter of 2012.

“Blackhole is most likely popular due to the ease of upgrading the kit,” said Larry Bridwell, AVG’s Global security strategist. “It’s the most actively developed of the current exploit kits and has ‘won the day’ for that market.  The author’s willingness to step away from standard zero-day or recently patched exploits and try other vulnerabilities like the more recent Java ones has made the success rate much higher than other similar kits.  Also, the rapid update capabilities of the kit have made it very difficult for AV (antivirus) vendors to match.”

According to security researchers, prices for the kit range from as little as $1,000 to as much as $4,000. Just recently, Jason Jones, Advanced Security Intelligence Team Lead for Hewlett Packard’s TippingPoint DVLabs, said he saw an offer to rent the kit for $50 a week and $150 a month on Pastebin.

“Blackhole has some decent marketing, but two things stand out for its popularity,” he said. “The first is the availability of an older version for free around the middle of last year which let people see it in action before choosing to pay for the newer releases with more vulnerabilities – we started seeing an increase in number of Blackhole samples collected not long after that. The second is that it has some good JavaScript obfuscation to help bypass security protections that are attempting to detect the malicious payloads used to launch the attacks.

Kits like Blackhole – in addition to for-sale botnet software like Zeus and SpyEye – have reduced the barrier of entry for cybercriminals, he added.

“The exploit kits make it easier to compromise a large number of users and the botnet software allows for management / control of the compromised hosts,” he said.

Attackers are aided by slow patch deployment by users. In March, vulnerability management firm Rapid7 estimated – based on statistics mostly from their customers – that a Java patch is deployed by less than 10 percent of users within a month of being released. After two months, the number increases to roughly 20 percent.

“There aren’t any toolkits that are particularly known for being equipped with a lot of zero-day exploits,” said Liam O Murchu, manager of operations for Symantec Security Response. “The reality is that most kits typically contain only recently patched vulnerabilities. These are more than sufficient, though, as there are plenty of systems out there that do not get regularly patched.”

Related Insight: BlackHole Exploit – A Savvy Cyber Gang Driving a Massive Wave of Fraud