Blackhole Exploit Kit's Dominance On Infected Hosts Could Push Rivals To the Cloud

2012-02-08T12:00:00
ID THREATPOST:01E51D8701DF136AE3EAB199F3574F94
Type threatpost
Reporter Chris Brook
Modified 2013-04-17T16:32:51

Description

The Blackhole exploit kit has a near monopoly on infected Web pages, according to Web security firm M86’s latest Security Labs Report, issued today. (PDF)

The bi-annual report, which covers the last half of 2011, July to December, describe Blackhole as the source of a whopping 95 percent of all the malicious URLs identified by M86 systems in the second half of 2011. The cyber criminals behind Blackhole aren’t resting on their laurels, either, but are investing in research and development to make sure Blackhole offers the latest and most effective exploits available on the cyber underground.

Black hole is one of a slew of Web exploit kits – software that acts like a Swiss Army knives for launching Web based attacks from compromised Web pages. More than half of the most common vulnerability exploits in the last half of 2011 could be launched from the Blackhole exploit kit including some high profile bugs in Adobe, Java and Microsoft products, M86 reported.

Blackhole was clearly the favored exploit kit of cyber criminals, easily overtaking an old favorite, the Phoenix exploit kit, which infected a mere 1.3 percent.

“We’ve been quite surprised by the impact and dominance of Blackhole,” Bradley Anstis, M86’s Vice President of Technical Strategy told Threatpost Tuesday.

Anstis credited the toolkit’s creators for Blackhole’s runaway popularity after owners funneled revenue back into the kits to make sure each version is adequately updated to handle the latest vulnerabilities. For example, it only took a few days for Blackhole to adapt last November when it went on to exploit a zero-day in Oracle’s Java applet. The cyber criminals merely disabled the kit’s existing PDF and browser exploits and replaced them with Java exploits, according to the report.

“We’d never seen an exploit kit update itself to use the latest vulnerabilities that quickly before,” Anstis said.

He predicted that the groups behind rival exploit kits will look for a way to get a leg up on Blackhole looks in 2012. One possible option that those kits might turn to is to shift to the cloud, said Anstis.

“If another exploit kit got their act sorted out and actually converted from being a perpetual licensing scheme to being a subscription service on a cloud infrastructure for their customers … Blackhole’s dominance might be challenged.”

In other news, M86 saw spam e-mail levels fell dramatically last year. The percentage of malicious spam ramped up, with eight of the top spamming botnets responsible for 90 percent of the spam M86 monitored, the report found.

The lack of spam can be credited to take downs of major botnets, and other fluctuations. However, the increase in the percentage of all spam that was malicious was “much higher than they’ve ever been” in 2011, according to Anstis.

Much of the malware-laden e-mail came as part of campaigns using fake notifications, including e-mail claiming to originate from electronic payment associations, the FDIC and even FedEx.

“Spammers are starting to branch out and become more run-of-the-mill cyber criminals,” Anstis said, “[They’re] looking at banking Trojans and data-stealing key loggers and seeing what they can actually capture.”

Finally, M86 found a stark increase in sophisticated targeted attacks in 2011. Those include the attack on RSA’s SecureID technology using a vulnerability in Adobe PDF documents and sophisticated malware like Duqu that took advantage of a hole in Microsoft Word documents. Hackers continue to hone their attacks to escape detection by faking digital certificates, embedding malware and targeting critical infrastructure, M86 found.

Blackhole infected a whopping 95.1 percent of malicious URLs in the second half of 2011 compared to the first half.