New ‘Nice Pack’ Exploit Kit Found, Thousands of Owned Sites Redirecting Users to Attack Site

A new exploit pack has appeared on the scene in the last week or so and it already is causing trouble for users, with thousands of compromised Web sites redirecting users to a page that is hosting the pack and exploiting vulnerabilities on their machines to install malware.

A new exploit pack has appeared on the scene in the last week or so and it already is causing trouble for users, with thousands of compromised Web sites redirecting users to a page that is hosting the pack and exploiting vulnerabilities on their machines to install malware.

The attackers behind the exploit pack, known as Nice Pack, are following the tried and true path blazed by groups that use other better-known exploit kits such as Black Hole. The attackers are using various techniques to compromise a large number of legitimate Web pages, on which they then place malicious JavaScript that will redirect unsuspecting users to the remote site that’s hosting the exploit pack itself.

This is the same attack sequence that the crews who have been employing Black Hole and other exploit kits have been using for some time now. In fact, security researchers say that the JavaScript code that they’ve seen redirecting users to the site hosting Nice Pack is identical to the code that attackers recently used in the attack on MySQL.com that was redirecting users to the Black Hole exploit kit. Researchers at the Dell SecureWorks Counter Threat Unit discovered the Nice Pack kit recently and say that its immediate goal is to install the ZeroAccess Trojan on compromised machines.

ZeroAccess is a relatively new Trojan, but it’s not unlike many of its predecessors in that it is meant to remain hidden on users’ PCs and gather confidential information and ship it off to a remote attacker. ZeroAccess has some rootkit-like capabilities that enable it to hook the operating system at a low level and remain persistent on the infected machine after reboots and attempts to remove it.

In conjunction with the appearance of the Nice Pack exploit kit, SecureWorks researchers said they also have seen an increase in attacks by ZeroAccess in recent weeks. Nice Pack, like other exploit kits, takes a broad-based approach in its efforts to compromise as machines as possible, firing off exploits against a menu of applications.

“It is exploiting vulnerabilities in various versions of Java, Flash and Adobe. If successful, it is downloading a newer Trojan in the malware market, one which we have just seen in the news since the second quarter of this year. It is called ZeroAccess Trojan, and it does have rootkit capability,” Ben Feinstein, director of operations and analysis for the SecureWorks CTU, said. “Coincidentally, in the past week, the CTU has detected many attempted attacks by the ZeroAccess Trojan, across a wide range of  industry verticals including financial, healthcare, education, utilities and manufacturing, which would  indicate that it is being used in  a broad- based attack, mounted by a Web Based Exploit Kit.”

The company said that it has seen approximately 16,000 compromised pages that are redirecting users to the site that’s hosting the Nice Pack exploit kit.

Suggested articles

Discussion

  • Anonymous on

    What are some of the common indicators for this attack? IP addresses, domain names, filenames, etc... Thank you

  • control Arm on

     I very much appreciated this posting, it could have been my story.
     I also started using and adapting Montessori materials in my homw preschool b
     ack in the ’70's…(wow I am old!) before I had completed my training.I totally agree
     in hoping that the world of Montessori will be opened to many young families!

  • Radiator Fan on

    I very much appreciated this posting, it could have been my story.
     I also started using and adapting Montessori materials in my homw preschool b
     ack in the ’70's…(wow I am old!) before I had completed my training.I totally agree
     in hoping that the world of Montessori will be opened

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.