A new exploit pack has appeared on the scene in the last week or so and it already is causing trouble for users, with thousands of compromised Web sites redirecting users to a page that is hosting the pack and exploiting vulnerabilities on their machines to install malware.
The attackers behind the exploit pack, known as Nice Pack, are following the tried and true path blazed by groups that use other better-known exploit kits such as Black Hole. The attackers are using various techniques to compromise a large number of legitimate Web pages, on which they then place malicious JavaScript that will redirect unsuspecting users to the remote site that’s hosting the exploit pack itself.
This is the same attack sequence that the crews who have been employing Black Hole and other exploit kits have been using for some time now. In fact, security researchers say that the JavaScript code that they’ve seen redirecting users to the site hosting Nice Pack is identical to the code that attackers recently used in the attack on MySQL.com that was redirecting users to the Black Hole exploit kit. Researchers at the Dell SecureWorks Counter Threat Unit discovered the Nice Pack kit recently and say that its immediate goal is to install the ZeroAccess Trojan on compromised machines.
ZeroAccess is a relatively new Trojan, but it’s not unlike many of its predecessors in that it is meant to remain hidden on users’ PCs and gather confidential information and ship it off to a remote attacker. ZeroAccess has some rootkit-like capabilities that enable it to hook the operating system at a low level and remain persistent on the infected machine after reboots and attempts to remove it.
In conjunction with the appearance of the Nice Pack exploit kit, SecureWorks researchers said they also have seen an increase in attacks by ZeroAccess in recent weeks. Nice Pack, like other exploit kits, takes a broad-based approach in its efforts to compromise as machines as possible, firing off exploits against a menu of applications.
“It is exploiting vulnerabilities in various versions of Java, Flash and Adobe. If successful, it is downloading a newer Trojan in the malware market, one which we have just seen in the news since the second quarter of this year. It is called ZeroAccess Trojan, and it does have rootkit capability,” Ben Feinstein, director of operations and analysis for the SecureWorks CTU, said. “Coincidentally, in the past week, the CTU has detected many attempted attacks by the ZeroAccess Trojan, across a wide range of industry verticals including financial, healthcare, education, utilities and manufacturing, which would indicate that it is being used in a broad- based attack, mounted by a Web Based Exploit Kit.”
The company said that it has seen approximately 16,000 compromised pages that are redirecting users to the site that’s hosting the Nice Pack exploit kit.
