In the last six months, two million users have been targeted in cyber-attacks using Java exploits
Kaspersky Lab has published the results of its research into one of the most popular methods of infecting computers – exploiting vulnerabilities in legitimate software and, in particular, the use of exploit packs. According to researchers, Java exploits are the tool of choice for cybercriminals, and this is hardly surprising: in the last 12 months alone, over 161 vulnerabilities in JRE (Java Environment Runtime) were detected. From March to August 2013, Kaspersky Security Network recorded attacks involving Java exploits which affected more than 2 million users.
During the research, Kaspersky Lab’s experts examined how computers were infected with the help of the BlackHole exploit pack, one of the most popular packs of its kind on the market along with Nuclear Pack, Styx Pack and Sakura. The BlackHole pack includes exploits targeting vulnerabilities in Adobe Reader, Adobe Flash Player, Oracle Java and other popular software. Because the operation of all exploit packs relies on what is essentially the same algorithm, the Kaspersky Lab experts picked three Java exploits from BlackHole to illustrate the working principles of exploit packs.
The BlackHole case study was also used to demonstrate how security components can interact with malicious code at various stages, including the stage when it calls exploits targeting specific vulnerabilities:
- blocking the start page of the exploit pack (i.e. the first page of the exploit pack after the user is redirected from a legal site);
- detection using file antivirus (if the user nonetheless reaches the start page of the exploit pack);
- signature-based exploit detection (in case the security solution failed to detect the start page of the exploit pack);
- proactive exploit detection (used if all signature-based security components fail to detect anything malicious while scanning the contents of the exploit pack, and the exploit manages to launch);
- detection of malicious downloads (if the exploit manages to escape detection, it attempts to download a malicious payload and launch it on the victim computer).
“Today, if a cybercriminal wants to infect computers, say, with a modification of the ZeuS Trojan, all he needs to do is to buy a pre-prepared exploit pack, configure it and entice as many potential victims as possible to its landing page. The problem of ‘black holes’ remains relevant despite studies of the infection mechanism of exploit packs and comprehensive solutions offered by security vendors. In Java’s case, the software manufacturer is quite prompt in responding to newly detected vulnerabilities and releases the appropriate patches. However, end users typically do not rush to install updates, and cybercriminals seize the initiative by creating new malicious programs to attack known vulnerabilities,” said Vyacheslav Zakorzhevsky, Head of the Vulnerability Research Group at Kaspersky Lab.
So far, exploit packs have given cybercriminals an extremely reliable means of infecting computers if there is no security system installed on them and at least one popular software package is installed with an unpatched vulnerability. It is no surprise that infections via exploit packs are a popular method among cybercriminals: it is extremely difficult for an unwary and unprotected user to detect them.
The process starts by redirecting the user to the exploit pack landing page. Cybercriminals use a wide variety of methods to do this, including spam messages with links to the pages. However, the most dangerous case is when legal sites are compromised, and script codes or iframes are injected into them. In such cases, it is enough for a user to visit a familiar site for a drive-by attack to be launched and for an exploit pack to begin working surreptitiously. Cybercriminals can also use legitimate advertising systems, linking banners and teasers to malicious pages.
The only surefire way to prevent an attack is to ensure that none of the necessary software that the exploit pack requires is installed on the computer. As soon as a user visits the landing page, cybercriminals retrieve information from the victim’s computer including the OS version, the web browser and any installed plugins, local language configurations, etc. If the cybercriminals see the required combination is present – and with the vulnerabilities found in popular packages like Adobe Reader, Adobe Flash Player and Oracle Java, the combination is usually there – then the appropriate exploits are selected to carry out the attack on the computer in question.
Another reason an attack may not take place is to prevent the exploit pack’s contents from falling into the hands of experts at anti-malware companies or other researchers. For example, cybercriminals may ‘blacklist’ IP addresses used by research companies (crawlers, robots, proxy servers), block exploits from launching on virtual machines, etc.
The complete version of the research is available at securelist.com.