Anatomy of an attack: Drive-by downloads and Blackhole
Drive-by downloads are nothing new—they’ve been around for a number of years. These attacks exploit multiple unpatched vulnerabilities in the user’s browser, browser plugin, application or operating system. Hackers can either lure users to malicious sites they have injected with malicious code or hack legitimate sites to host the malware. Because legitimate sites are generally trusted and may be popular, high-traffic venues, they can be very successful for distributing malware to unsuspecting visitors through the browser.
The most popular drive-by malware we’ve seen recently is called Blackhole. It’s marketed and sold to cybercriminals in a typical professional crimeware kit that provides web administration capabilities. But it offers sophisticated techniques to generate malicious code. And it’s very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious.
How Blackhole works
Blackhole mainly spreads malware through compromised websites that redirect to an exploit site, although we’ve also seen cybercriminals use spam to redirect users to these sites. This year we’ve seen numerous waves of attacks against thousands of legitimate sites.
We’ve also noticed cybercriminals abusing a number of free hosting sites to set up new sites specifically to host Blackhole.
Just like the Blackhole kit itself, the code injected into the legitimate sites is heavily obfuscated and polymorphic, making it harder to detect. The typical payloads we see from Blackhole exploit sites include:
- Bot-type malware such as Zbot (aka Zeus)
- Rootkit droppers (for example TDL and ZeroAccess)
- Fake antivirus
Typically, the malware on these sites target Java, Flash and PDF vulnerabilities. At SophosLabs we saw a continual bombardment of new PDF, Flash, Java and JavaScript components each day for several months at the end of 2011. We’ve seen a huge rise in the volume of malicious Java files, virtually all of it from exploit sites such as Blackhole.
The dark genius of crimeware kits like Blackhole is that they continuously update as new vulnerabilities are discovered. However, many computers will continue to be infected by older Java vulnerabilities because they aren’t up to date with the latest patches. The system for patching plugins and third party applications like Java is not nearly as mature as that of Microsoft’s monthly Patch Tuesday process.