BlackHole Exploit Kit 2.0 Released !! (Collection of Latest Exploit Modules)
BlackHole exploit kit - which is so far recognized as the most successful exploit kit that includes a collection of exploits to take advantage of vulnerability in the target's machine to download malwares & infect the victim, now became more power full as The BH developers have unleashed a new version of their exploit toolkit on the net. With BlackHole 2.0, the software has been "rewritten from scratch" to fool antivirus & firewall, said the unknown developers in a Russian-language release announcement on Pastebin. In their posting, they advertise new features such as temporary exploit URLs that are only valid for a few seconds, making them harder to analyse. The other features are also quite worthy and makes it a quite faster exploit kit like the new version doesn’t rely on plugindetect to determine the Java version installed. This will speed up the malware download routine. As the link to the malicious payload was easily identified by security software earlier, the BlackHole 2.0 comes with a feature that allows the customer to choose the link. The creators of the exploit kit claim that this way none of the commercial antivirus solutions is able to detect it. Old exploits that were causing the browser to crash have been removed.
A total of 16 improvements have been claimed to be done in BlackHole’s administrator panel. Now it’s faster, statistics are easier to view, and mobile phones and Windows 8 have been added to allow customers to see precisely what types of devices are infected. The price for the services are quite comparative. All you need is criminal intent and money. The toolkit can now even be rented for a $50 a day and will then run on a server that is owned by the BlackHole team. The annual licence fee for criminals who use their own servers is $1,500. Detailed information about BH 2.0 can be here.
BlackHole exploit kit is yet another in an ongoing wave of attack toolkits flooding the underground market. The kit first appeared on the crimeware market in September of 2010 and ever since then has quickly been gaining market share over its vast number of competitors. In fact, many antivirus vendors now claim that this is one of the most prevalent exploit kits used in the wild. Even Malware Domain List is showing quite a few domains infected with the BlackHole exploit kit. TDS or Traffic Direction Script. While this is not an entirely new concept in attack toolkits the TDS included her is much more sophisticated and powerful than those in other kits. A TDS is basically an engine that allows redirection of traffic through a set of rules. For example, a user can set up a set of rules that redirect flow to different landing pages on their domain. These rules could be based on operating system, browser, country of origin, exploit, files, etc. One rule might redirect traffic to page A for all users that are running Windows OS from XP to Vista and running IE 8, while another rule can redirect Windows 7 users to page B. Those were just simple example rules.
More advanced rules could set expiration dates for certain payloads and replace them with new ones when the date is reached. The TDS included in BlackHole even goes the extra step and allows you to create traffic flows based on these rules and provides management interface for the flows. A savvy malicious user with a lot of experience could easily utilize this rule engine to increase their infection numbers.From a web application standpoint BlackHole is built just like other kits, consisting of a PHP and MySQL backend. Since the majority of web servers run on the LAMP stack this enabled for very easy applicationdeployment. The user interface for this kit is a cut about the rest, and it definitely looks nicer than almost any other attack kit.
Security researcher and journalist Brian Krebs has found evidence that a recently discovered vulnerability in Java is being added to the 'BlackHole' exploit kit. The vulnerability was discovered a few weeks ago and makes use of the Rhino Script Engine to run arbitrary code outside the sandbox. Following a patch released by Oracle, the exploit works against all but the latest versions of Java.
Although there is evidence suggesting that this exploit is currently only used to target computers running Windows, the fact that Java is cross-platform makes these vulnerabilities popular for those who want to attack other operating systems, such as Mac OS X. Java exploits are therefore commonly used in exploit kits such as 'BlackHole'. This kit, which can be bought on the black market, attempts to gain access to the victim's system via exploits in commonly used browser add-ons such as Java, Flash and Adobe Reader. It is usually embedded into legitimate but hacked websites via hidden iframes, making those who avoid the more obscure corners of the Internet just as vulnerable to such attacks. Making sure software is always up to date (or in the case of Java, as Krebs suggests, uninstalled when not needed) is thus an essential step Internet users should take to keep their computers secure.
The sad irony is that 'customers' of 'BlackHole' are having their kits automatically 'patched' to include this latest exploit, Krebs found on underground forums. This is yet another sign of how cybercriminals have become as professional as legitimate software companies.
0-day Vulnerability Found in Java Spotted in the Wild
Yet another 0-day vulnerability found by FireEye's Malware Intelligence Lab that affects all the latest version of Java , including the current Java 7 update 6, are also vulnerable to the hole that is already being exploited in the wild. With the publication of a vulnerability notice by the US-CERT and warnings from the German BSI (Federal Office for Information Security), the best advice for all users is to disable Java applets in their browsers on all operating systems. The vulnerability can be exploited when a user visits a specially crafted web site and can be used to infect a system with malware. Thecode to exploitthe problem is already available on the internet, making its use for infecting systems very likely. There is no patch available for the flaw so it is essential that users disable the Java plugins used by their browsers. Instructions for the various browsers can be found below:
Several security firms have already declared that, this newly found Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer. "Exploit code for the Java vulnerabilities has been added to the most prevalent exploit kit out there, Blackhole," said Websense in a short post on its company blog. The addition of the exploit to Blackhole was cited by FireEye researcher Atif Mushtaq in a similar blog entry yesterday as the basis for a spike in attacks. "After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands," said Mushtaq.
Cyber criminals will jump at any chance and use any news to spread malware, and news doesn't get much bigger right now than the death of Osama bin Laden.
It was obvious that we would see SEO poisoning leading to malware, image search poisoning, spam campaigns, and so on. At the same time, cyber criminals also like to get lucky, which happened here.
Twitter is a great source of information, and in the aftermath of the news of bin Laden's death, people started noticing that a Twitter account called @ReallyVirtual based in Abbottabad, Pakistan had tweeted about hearing helicopters and explosions in the area six hours before the news became public. Essentially he live tweeted during the attack.
Mr. Athar links to his blog on Twitter, and I'm sure a lot of users who saw his tweets went there. Unfortunately for them, the site was compromised and was serving a poorly detected malware through the Blackhole Exploit Kit.
Below is a screenshot of the exploit code on the page: Anyone going to this page would also load content from the malicious URL above, and the Blackhole Exploit Kit would then try to use several exploits to automatically install malware on the PC. “Cybercriminals are constantly exploiting where the masses go, and news on Osama bin Laden’s death is no exception. We wanted to warn everyone looking for news on Osama bin Laden’s death to be cautious when clicking on new links. Make no mistake—hackers are going to go after websites, like @ReallyVirtual’s, along with search engine results to prey on visitors looking for more information. Compromises on breaking news items are also very dangerous to organizations because employees who are searching online can potentially put an organization at risk for exploit and data loss.” – Patrik Runald, Senior Manager, Security Research, Websense Security Labs
Linux/Cdorked.A: One of The Most Sophisticated Apache Backdoor Targets Millions of Websites to Serve Blackhole Exploit
ESET one of the world renowned security firm headquartered in Bratislava have figured out what it called a malicious cyber rampage targeting millions of cPanel-based servers. Since last few months security experts have been tracking server level compromises that have been utilizing malicious Apache modules to inject malware into websites and redirecting some of its requests to the infamous Blackhole Exploit packs. On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one. This new backdoor is very sophisticated and this new malware has been dubbed "Linux/Cdorked.A." Several analysis reveals that it is a sophisticated and stealthy backdoor meant to drive traffic to malicious websites. According to the official blog post of ESET - Linux/Cdorked.A is one of the most sophisticated Apache backdoor's we have seen so far. The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren't logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.
This malicious cyber rampage was first detected by another security firm named 'Sucuri' and later ESET published a detailed analysis of the issue. But still there are thoughtful matter as already thousands of websites get infected. The attack is particularly dangerous as Apache web servers are among the most well-known and widely-used in the world and are used by numerous companies. This means that a successful security breach can affect numerous different businesses across a diverse range of industries.
As this malware also known as Linux/Cdorked.A has already been spotted in the wild, so on behalf of cyber media, we urge all the concern system administrator, security analyst to take care of the above issue while to checking their servers and verify that they are not affected by this threat. Detailed instructions to perform this check are provided in the ESET blog.
Security experts warning to Netizens that online scammers may seek to exploit the death of Al-Qaida leader Osama bin Laden to spread malware has come true.
According to security firm Websense, the website of Sohaib Athar (@ReallyVirtual), the man who unknowingly gave live ring-side view of the bin Laden's death on microblogging site Twitter, has been hacked.
Websense has discovered that the website belonging to Athar has been compromised by hackers and leads to the Blackhole exploit kit. This means Web surfers who visited Athar's blog, Reallyvirtual.com, early on Monday may have malware silently installed on their computers.
According Websense, "Anyone going to this page would also load content from the malicious URL ..., and the Blackhole Exploit Kit would then try to use several exploits to automatically install malware on the PC."
The malware that the drive-by-download attempts to install is a fake system tool named 'WindowsRecovery' that claims to have found problems on the victim's computer. To convince the user that something really is wrong with the system, the malware hides all files and folders in the hard drives and on the desktop says Websense in its blogpost.
And, not surprisingly, scammers offer the user a quick solution to this problems with a purchase of the premium version of 'WindowsRecovery', adds the blog post
Cyber criminals are distributing mass on the internet while sending rogue email notifications about changes in Microsoft's Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploit to infect their computers with malware. Oracle left a security flaw in one of the world’s most widely used programs unpatched for four months and then issues a half-baked fix, the company is practically inviting cyber criminals to exploit its users en mass. And as expected the invitation has been accepted.
The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company's Services Agreement that will take effect Oct. 19. "This email is a legitimate announcement regarding updates to the
Microsoft Services Agreement and Communication Preferences," a Microsoft
program manager for supporting mail technologies who identifies herself
as Karla L, said on the Microsoft Answers website in response to a user inquiring about the authenticity of the email message.
However,
she later acknowledged the existence of reports about malicious emails
that use the same template. "If you received an email regarding the
Microsoft Services Agreement update and you're reading your email
through Hotmail or Outlook.com, the legitimate email should have a Green
shield that indicates the message is from a Trusted Sender," she said.
"If the email does not have a Green shield, you can mark the email as a
Phishing scam."
However,
in the malicious versions of the emails, the correct links have been
replaced with links to compromised websites that host attack pages from
the Blackhole exploit toolkit. Blackhole is a tool used by
cybercriminals to launch Web-based attacks that exploit vulnerabilities
in browser plug-ins like Java, Adobe Reader or Flash Player, in order to
install malware on the computers of users who visit compromised or
malicious websites.
This type of attack is known as a drive-by
download and is very effective because it requires no user interaction
to achieve its goal. The malicious Java applet used in this attack is detected by only eight
of the 42 anitivirus engines available on the VirusTotal file scanning
service. The Zeus variant has a similarly low detection rate.
"We're receiving multiple reports of a phishing campaign using the
template from a legitimate Microsoft email regarding Important Changes
to Microsoft Services Agreement and Communication Preferences," Russ
McRee, security incident handler at the SANS Internet Storm Center, said
Saturday in a blog post.
Researcher Figure-out Yet Another Java Hole That Puts 1 Billion Users at Risk
Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco yet again another critical Java vulnerability has been spotted in the wild. The Polish security researcher Adam Gowdiak has found another vulnerability in Java that could allow an attacker to bypass the sandbox. This newly discovered security hole has effected all latest versions of Oracle Java SE software. According to Security Explorations researcher Adam Gowdiak, who sent the
email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software.” So far the researcher were able to successfully exploit the vulnerability and achieve a complete Java security sandbox bypass
in the environment of Java SE 5, 6 and 7. Researcher could only claim such an impact with reference to Java 7 environment (the
Apple QuickTime attack relying on Issues 15 and 22 is the only exception here).
The following Java SE versions were verified to be vulnerable:
Java SE 5 Update 22 (build 1.5.0_22-b03)
Java SE 6 Update 35 (build 1.6.0_35-b10)
Java SE 7 Update 7 (build 1.7.0_07-b10)
All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications:
Firefox 15.0.1
Google Chrome 21.0.1180.89
Internet Explorer 9.0.8112.16421 (update 9.0.10)
Opera 12.02 (build 1578)
Safari 5.1.7 (7534.57.2)
So far there are no reports that the vulnerability is being exploited for attacks. Oracle has not said whether or when it will close the vulnerability. Here we want to remind the very recent history, when several zero day vulnerability was found in all the version of java, which was added on BlackHole Exploit kit. Later Oracle released a patch to close the security hole.
Oracle Released Emergency Update to PatchJava 0day(CVE-2012-4681)
Zero-day vulnerabilities in Java, which was on the spotlight for last few days; takes a new direction. Several security firms have already declared that, this newly found Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer. As expected Oracle has released an emergency update to address those zero-day vulnerabilities. This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software.
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment.
Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Supported Products Affected
Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.
Users running Java SE with a browser can download the latest JRE 7 release from http://java.com/. Users on the Windows platform can also use automatic updates to get the latest JRE 7 and 6 releases.
Also Java 7 Update 7 is now available to download for Windows (32- and 64-bit), Linux (32- and 64-bit), Mac OS X (64-bit), Solaris x86 (32- and 64-bit) and Solaris SPARC (32- and 64-bit). JDKs with the updated Java runtimes are also available. Users with Java installed on their systems, whatever operating system, should install the updates as soon as possible because malicious software that uses the vulnerability is already in circulation. For detailed information click here.
MYSQL.com compromised and giving malware warning to the visitors. MySQL is one of the most widely used RDBMS you will find 6 out of 10 websites are usingd using MySQL. Mysql.com was also hacked earlier due to SQL injection vulnerability on their website. According to a blog post at Armorize, Mysql.com has been hacked and is currently serving malware. Armorize had detected the compromise through its website malware monitoring platform HackAlert, and has analyzed how the compromise of the site’s visitors unfolds. The mysql.com website is injected with a script that generates an iFrame that redirects the visitors to http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php, where the BlackHole exploit pack is hosted.
According to The Researcher:- “It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java,), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” Here is a video Released By Armorize to show you the Reality:-
We all are aware of that Mr. Steve Jobs death. But this phenomena has beeing misused by cyber criminals. Previously we have seen Facebook scam happened after the death of a public figure, a scam was started on Facebook Thursday to exploit the death of Steve Jobs. Claiming that free iPads were being given away in “in memory of Steve,” the Facebook page was quickly taken down after the media began to report on it.
But it not yet over Security researchers from M86 Labs have intercepted a currently spreading malware campaign a Steve Jobs spam campaign, with the subject suggesting that he is still alive.
Steve Jobs Alive!
Steve Jobs Not Dead!
Steve Jobs: Not Dead Yet!
Is Steve Jobs Really Dead?
The URL links in the spam are many and varied. The websites that they point to all look to be hacked by the addition of obfuscated code that, after two layers of redirects, ultimately ends up at a BlackHole exploit kit landing page.
The intermediary redirect URLs are random-looking domains, with a top level domain of .ms (Monserrat in case you didn’t know), here are some examples: hxxp://xnyiinobfb[dot]ce[dot]ms/index.php hxxp://derhvbq[dot]ce[dot]ms/index.php
The purpose of the exploit kit is to try and exploit vulnerabilities on the system and eventually download malicious executable files. At this stage, we are not sure what the ultimate payload is, as no files were actually downloaded on our test system.
Unfortunately, many people may find this spam campaign “click-worthy” given the icon that Steve Jobs was. The usual advice applies – avoid clicking links in unsolicited email. In this case, one simple click is all it takes to get compromised.
