December 11, 2016

Exploit Kits Updated to Use Recent Java Vulnerability

(LiveHacking.Com) – One of the biggest threats to Internet users isn’t the actual individual vulnerabilities found in operating systems (like Windows or OS X), web browsers (like IE, Firefox and Chrome) or software (like Adobe Acrobat or Flash) but the exploit kits which combine the exploits for these known vulnerabilities into a kit which is then deployed by cyber criminals and malware writers to infect and control victim’s computers.

Although attacks can be launched (and have been launched) using  individual vulnerabilities, the greatest damage is done with these exploit kits and the cyber criminals know it. And it seems that the speed of development of these kits is increasing. Until recently exploit kits tended to use exploits which have been known for at least a year and their development seemed to be slow. However according to research by M86 Security two “popular” exploit kits have been updated to exploit a vulnerability in Java which was discovered less than two months ago.

CVE-2011-3544, which was discovered by Michael ‘mihi’ Schierl, allows arbitrary Java code to run outside of the sandbox due to a vulnerability in the Rhino Script Engine. Not long after the discovery, an exploit module was published in Metasploit. And now the Blackhole exploit kit was modified to exploit clients that have Java installed, using the CVE-2011-3544 vulnerability. A few days later, a new version of Phoenix exploit kit 3.0 was released,  only a few weeks after the release of its predecessor, Phoenix 2.9.

“The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits. The concerning aspect is that the Blackhole exploit kit was updated even before a patch was released by the vendor” wrote Daniel Chechik.

What this shows is that cybercriminals aren’t actively relying on zero day flaws but rather they are using known (and patched) vulnerabilities.

61% of all Web-based Malware Created With DIY Kits

Symantec has released a new report on attack toolkits and their increasing use for creating DIY malware. Since attack toolkits can be used by novices and experts alike the new report has found that these DIY malware kits are now being used by more traditional criminals to create new waves of organized cybercrime.

As an example, the Symantec point to the case of the ZeuS attack kit which steals bank account credentials. In September 2010 police broke a ring of cybercriminals who, it is alleged, used a ZeuS botnet in the theft of more than $70 million from online banking and trading accounts over an 18-month period.

Other popular packs include MPack, Neosploit, ZeuS, Nukesploit P4ck, and Phoenix. The increased popularity of these attack kits has spawned an underground economy in the buying and selling of these suites. For example in 2006, WebAttacker, a popular attack toolkit, sold for $15 on the underground economy. In 2010, ZeuS 2.0 has been advertised for up to $8,000.

“In the past, hackers had to create their own threats from scratch. This complex process limited the number of attackers to a small pool of highly skilled cybercriminals,” said Stephen Trilling, senior vice president, Symantec Security Technology and Response. “Today’s attack toolkits make it relatively easy for even a malicious novice to launch a cyberattack. As a result, we expect to see even more criminal activity in this area and a higher likelihood that the average user will be victimized.”

The prediction for 2011 is that as more and more traditional criminals enter the foray the number of attacks will increase.