The screenshot below shows a sample of code from the landing page of the BlackHole exploit kit. For example, cybercriminals may ‘denylist’ IP addresses used by research companies (crawlers, robots, proxy servers), block exploits from launching on virtual machines, etc. Another reason an attack may not take place is to prevent the exploit pack’s contents from falling into the hands of experts at anti-malware companies or other researchers. If the software required by the exploit pack is not present on the target computer, an attack does not take place. As a rule, the exploits to be employed in attacking a system are selected based on the input parameters. Input parameters include the version of the operating system on the user machine, browser and plugin versions, system language etc. We print all changeable data in small type.Īn exploit pack’s start page is used to determine input parameters and make decisions on the exploit pack’s further actions. As a result, some of the code may differ from that shown in the examples below however, the underlying principles of operation will remain the same. For example, they may change the decryption algorithm used by one of the exploits. Cybercriminals are still actively developing BlackHole: they often modify the code of one exploit or another to hinder detection by anti-malware solutions. It should be noted that all data on exploits, the contents of start pages and other specific information discussed in this article (particularly the names of methods and classes and the values of constants) was valid at the time the research was carried out. In early 2013, we studied three exploits for Oracle Java from the BlackHole pack, so we selected BlackHole to illustrate the operating principles of exploit packs. For maximum effect, exploits included in the pack are constantly modified. It includes exploits for vulnerabilities in Adobe Reader, Adobe Flash Player and Oracle Java. One of the best-known exploit packs on the market is called BlackHole. Moreover, the operation of all exploit packs is based on what is essentially the same algorithm. In spite of the different names, all these ‘solutions’ work in the same way: each exploit pack includes a variety of exploits plus an administrator panel. There are numerous exploit packs available on the market: Nuclear Pack, Styx Pack, BlackHole, Sakura and others. Infecting user machines using exploit packs: an overview diagram Another method that is popular among cybercriminals is distributing links to the landing page in spam. Cybercriminals can also use legitimate advertising systems, linking banners and teasers to malicious pages. In such cases, it is enough for a user to visit a familiar site for a drive-by attack to be launched and for an exploit pack to begin working surreptitiously. The most dangerous one for users is hacking pages of legitimate websites and injecting scripts or iframe elements into their code. Today, all a cybercriminal wishing to infect user machines with, say, a variant of the ZeuS Trojan needs to do is buy a ready-made exploit pack, set it up and get as many potential victims as possible to visit the start page (also called a landing page).Īttackers use several methods to redirect users to an exploit pack’s landing page. As a result of the division of labor, each group of cybercriminals specializes in its own area: some create and sell exploit packs, others lure users to exploit start pages (drive traffic), still others write the malware that is distributed via drive-by attacks. Whereas in the past exploits and malicious programs downloaded with their help to victims’ computers were created by the same people, today this segment of the black market operates according to the SaaS (Software as a Service) model. This helps them to significantly increase the effectiveness of ‘penetration’, since each attack can utilize one or more exploits for software vulnerabilities present on the computer being attacked. Exploit packsĪs a rule, instead of using a single exploit, attackers employ ready-made sets known as exploit packs. In this article, we discuss how a computer can be infected using the BlackHole exploit kit and the relevant protection mechanisms that can be employed. Today’s security solutions, however, are capable of effectively withstanding drive-by attacks conducted with the help of exploit packs. According to our data, user machines are most often attacked using exploits for Oracle Java vulnerabilities. Today, exploiting vulnerabilities in legitimate programs is one of the most popular methods of infecting computers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |