The Black Hole exploit kit and the Carberp Trojan have a lovely, symbiotic relationship and they’ve recently decided to take that relationship to the next level. In the last month, there has a been a major spike in the volume of Carberp infections related to attacks from sites hosting Black Hole, mostly exploiting Java vulnerabilities.
Much of the jump in activity has occurred in Russia, and the attackers are targeting online payment systems primarily. However, the rise in Carberp infections isn’t limited to Russia. In fact, researchers at Eset found that in November, infections by the Trojan tripled overall from the month before. Attackers are using sites that have previously been infected with Black Hole as launching points for drive-by download attacks against visitors and install Carberp after the exploit attempt succeeds.
“Based on the statistics obtained from one of the nodes hosting an active Black Hole exploit pack, the most frequently exploited vulnerabilities leading to system infection with malware are found in Java software,” Eset’s David Harley wrote in an analysis of the ongoing attacks. “In the last year Java has outpaced last year’s ‘leaders’ in exploitable application formats such as PDF and SWF (Adobe Flash file format), which are now more or less equal in second place. The vulnerabilities in Java are easier and more consistently exploitable than those in PDF and SWF. The code required for a working exploit is fairly small, and may be only a page in length. The exploited vulnerabilities aren’t really new: some of them are more than a year old.”
The findings regarding Java vulnerabilities are in line with what researchers at Microsoft found recently. The company found that Java exploits have far outpaced attacks against vulnerabilities in any other piece of software in the last year, and that many of the attacks on Java are targeting older vulnerabilities that have been patched for months or years. Java is ubiquitous and users seem to be slow in updating it, which leaves attackers with a lot of potentially vulnerable targets.
And the attackers who are using the Black Hole-Carberp cocktail are taking full advantage of that situation. Their infection method is fairly simple and familiar, with malicious code being hosted on legitimate Web site, which then redirects victims to sites that house the Black Hole kit. The kit then fires off exploits against the user’s browser, and, if successful, downloads and installs Carberp.
“Once the vulnerability has been successfully exploited the dropper is executed: in this case it is Carberp that is being dropped. To prevent antivirus software detecting the dropper the Black Hole exploit kit includes functionality for measuring dropper detections by the most widely used antivirus software. When the number of detections reaches a defined value the dropper is repacked by the service responsible for it,” Harley said in his analysis.
Recent versions of Carberp also are downloading and installing some targeted plug-ins that are designed to steal data from specific payment-processing software.