BlackholeThe Black Hole exploit kit and the Carberp Trojan have a lovely, symbiotic relationship and they’ve recently decided to take that relationship to the next level. In the last month, there has a been a major spike in the volume of Carberp infections related to attacks from sites hosting Black Hole, mostly exploiting Java vulnerabilities.

Much of the jump in activity has occurred in Russia, and the attackers are targeting online payment systems primarily. However, the rise in Carberp infections isn’t limited to Russia. In fact, researchers at Eset found that in November, infections by the Trojan tripled overall from the month before. Attackers are using sites that have previously been infected with Black Hole as launching points for drive-by download attacks against visitors and install Carberp after the exploit attempt succeeds.

“Based on the statistics obtained from one of the nodes hosting an active Black Hole exploit pack, the most frequently exploited vulnerabilities leading to system infection with malware are found in Java software,” Eset’s David Harley wrote in an analysis of the ongoing attacks. “In the last year Java has outpaced  last year’s ‘leaders’ in exploitable application formats such as PDF and SWF (Adobe Flash file format), which are now more or less equal in second place. The vulnerabilities in Java are easier and more consistently exploitable than those in PDF and SWF. The code required for a working exploit is fairly small, and may be only a page in length. The exploited vulnerabilities aren’t really new: some of them are more than a year old.”

The findings regarding Java vulnerabilities are in line with what researchers at Microsoft found recently. The company found that Java exploits have far outpaced attacks against vulnerabilities in any other piece of software in the last year, and that many of the attacks on Java are targeting older vulnerabilities that have been patched for months or years. Java is ubiquitous and users seem to be slow in updating it, which leaves attackers with a lot of potentially vulnerable targets.

And the attackers who are using the Black Hole-Carberp cocktail are taking full advantage of that situation. Their infection method is fairly simple and familiar, with malicious code being hosted on legitimate Web site, which then redirects victims to sites that house the Black Hole kit. The kit then fires off exploits against the user’s browser, and, if successful, downloads and installs Carberp.

“Once the vulnerability has been successfully exploited the dropper is executed: in this case it is Carberp that is being dropped. To prevent antivirus software detecting the dropper the Black Hole exploit kit includes functionality for measuring dropper detections by the most widely used antivirus software. When the number of detections reaches a defined value the dropper is repacked by the service responsible for it,” Harley said in his analysis.

Recent versions of Carberp also are downloading and installing some targeted plug-ins that are designed to steal data from specific payment-processing software.

Categories: Hacks, Malware

Comments (9)

  1. Anonymous

    Thx for your article.

    Iinadvertently clicked on an infected link but i was using my iPhone 4 safari browser, not my Mac at the time…

    Can the black hole exploit kit infect my iPhone?   What should I do now?



  2. Sir Frog

    If Sun/Oracle could learn how to patch instead of releasing gigantic updates for every release, I bet more people will update. Few things are as obnoxious and time-consuming as a Java update so alot of IT departments disable the updater by default. 

    Also, what happened to the concept of a Java sandbox?

  3. Pantharen

    @iPhone user: Hell yes your iPhone can be targeted, as Apple is all to aware, because of the explosion of the iPhone, viruses are being created to target the iPhone & Macs directly. But Macintosh isn’t going to do anything about it, because they simply do not give a shit about the end user. 

    Why is it the Android has an antivirus program available for it, and the iPhone does not. 

Comments are closed.