October 22, 2014

58% of vulnerabilities which exploit kits try to use are over 2 years old

solutionary-logo(LiveHacking.Com) – A new report from the security company Solutionary, has revealed that 58% of the vulnerabilities targeted by the top exploit kits are at least two years old. In total the company looked at 26 of the most common exploit kits and found exploit code from nine years ago. The fact that code from 2004 is still in the kits implies that old vulnerabilities are still fruitful for cyber criminals.

Further analysis showed that 58% of the vulnerabilities targeted are over two years. Solutionary also say that number of newly discovered and disclosed vulnerabilities has declined since 2010.

It seems as if Russia the center for exploit development with 70 percent of kits released or developed there. Following Russia comes China and Brazil. Of these kits BlackHole 2.0 continues to be the most often-used exploit kit while the lesser known Phoenix 3.1 exploit kits offers the highest number of vulnerabilities.

“The fact that cyber criminals are able to penetrate network defenses by targeting aging vulnerabilities and using old techniques demonstrates that many organizations are still playing catch-up when it comes to cyber security,” said Rob Kraus of Solutionary. “Exploit kits largely focus on targeting end-user applications. As a result, it is vital that organizations pay close attention to patch management and endpoint security controls in order to significantly decrease the likelihood of compromise.”

The popularity of BlackHole was also confirmed when Solutionary saw that 30% of the malware samples are indirectly linked to BlackHole exploit kit, while 18% of the malware samples directly attributed to BlackHole.

On the effectiveness of anti-virus solutions, the report found that anti-virus and anti-malware software cannot detect 67 percent of malware being distributed.

The rise of the Sweet Orange exploit kit

(LiveHacking.Com) –  Since the main purpose of malware is to create money it is only to be expected that as many parts as possible of the process are streamlined and automated. This is why many bits of malware use command and control (C & C) servers to automated the infection, spreading and ultimately the fraudulent aspects of the malware. Another aspect which is the highly streamlined is the creation of the virus or trojan that infects and delivers the payload to a victim’s computer. To this end malware authors have developed things called exploits kits which allow the criminals to create new viruses with the desired payload in a very short amount of time. The most popular exploit kit is known as Black Hole, it accounts for some 40 percent of all toolkits detected.

Version 2.0 of Black Hole was recently released and it claimed to be harder for anti-virus programs to detect it. But Black Hole isn’t the only exploit kit in town. One of the competing exploit kits is known as “Sweet Orange.” According to Chris Larsen of Blue Coat, malware analysts are finding more and more examples of Sweet Orange based malware.

Sweet Orange is similar to other exploit kits in that it has a database backend to store information about successful infections and statistic gathering about exploits for Java, PDF, IE and Firefox. However it does claim something quite unique, according to the sales copy Sweet Orange is able to drive 150,000 unique visitors to a site every day.

Since the whole process is automated it means that the ferocity of Sweet Orange is high. With an infection rate of up to 15% and 150,000 unique visitors a day to the predefined malicious webpage that means that 10,000 new PCs are infected every day. That is 300,000 in one month, a huge pool of victim’s exposed to banking trojans or false AV malware etc.

Such a high rate of infection needs a substantial infrastructure, the problem is that this infrastructure remains hidden and only parts of it can be seen, rather like an iceberg.

“Thanks to WebPulse, and the amount of traffic that comes through each day, Blue Coat can see a lot more of the iceberg,” said Jeff Doty of Blue Coat. “In my research, I found 45 different IP addresses (and a total of 267 different domains) that are dedicated to Sweet Orange.”

Exploit Kits Updated to Use Recent Java Vulnerability

(LiveHacking.Com) – One of the biggest threats to Internet users isn’t the actual individual vulnerabilities found in operating systems (like Windows or OS X), web browsers (like IE, Firefox and Chrome) or software (like Adobe Acrobat or Flash) but the exploit kits which combine the exploits for these known vulnerabilities into a kit which is then deployed by cyber criminals and malware writers to infect and control victim’s computers.

Although attacks can be launched (and have been launched) using  individual vulnerabilities, the greatest damage is done with these exploit kits and the cyber criminals know it. And it seems that the speed of development of these kits is increasing. Until recently exploit kits tended to use exploits which have been known for at least a year and their development seemed to be slow. However according to research by M86 Security two “popular” exploit kits have been updated to exploit a vulnerability in Java which was discovered less than two months ago.

CVE-2011-3544, which was discovered by Michael ‘mihi’ Schierl, allows arbitrary Java code to run outside of the sandbox due to a vulnerability in the Rhino Script Engine. Not long after the discovery, an exploit module was published in Metasploit. And now the Blackhole exploit kit was modified to exploit clients that have Java installed, using the CVE-2011-3544 vulnerability. A few days later, a new version of Phoenix exploit kit 3.0 was released,  only a few weeks after the release of its predecessor, Phoenix 2.9.

“The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits. The concerning aspect is that the Blackhole exploit kit was updated even before a patch was released by the vendor” wrote Daniel Chechik.

What this shows is that cybercriminals aren’t actively relying on zero day flaws but rather they are using known (and patched) vulnerabilities.