Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Blackhole Exploit Kit Gets an Upgrade

timothy posted more than 2 years ago | from the so-dense-not-even-light-browsing-can-escape dept.

Crime 43

wiredmikey writes "The popular Blackhole exploit kit, assumed to be created and maintained by an individual going by the online moniker of 'Paunch,' who continuously updates the browser exploit software, looks like it has just received another upgrade. The exploit works by infecting a user when they visit a Blackhole-infected site, and their browser runs the JavaScript code, usually via a hidden iframe. If the location or URL for the malicious iframe changes or is taken down, all of the compromised sites will have to be updated to point to this new location, making it hard for the attackers. To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains, based on the date and other information, and then creates an iframe pointing to the generated domain. Moreover, the kit's recent upgrade also added a new attack. According to Sophos, sometime in early June Blackhole was updated to include an attack that targets a flaw in Microsoft's XML Core Services, which remains unpatched. Unfortunately, the changes prove once again that the criminal economy online is alive and well."

Sorry! There are no comments related to the filter you selected.

shhhhh (-1)

Anonymous Coward | more than 2 years ago | (#40526781)

post first is best first

Core XML Services (1)

i kan reed (749298) | more than 2 years ago | (#40526851)

Does that mean Windows Firefox users are ostensibly safe? I don't know what library firefox uses for xml parsing.

Re:Core XML Services (2)

rbrausse (1319883) | more than 2 years ago | (#40526969)

afaik Mozilla includes the expat [libexpat.org] parser

Re:Core XML Services (1)

noh8rz5 (2674523) | more than 2 years ago | (#40527119)

maintained by an individual going by the online moniker of 'Paunch,'

that's what my wife calls me!

Firefox + NoScript (4, Insightful)

Anonymous Coward | more than 2 years ago | (#40526871)

Problem fecking solved. Nobody should be running without a script blocker in this day and age.

Re:Firefox + NoScript (5, Interesting)

lostsoulz (1631651) | more than 2 years ago | (#40526929)

Broadly agreed, but t'Internet is a woeful mess of script upon script upon script. I use NoScript, Ghostery, AdBlock Plus and HTTPS Everywhere...but sometimes find well-known sites that still b0rk until I reconfigure an addon.

Re:Firefox + NoScript (0)

Anonymous Coward | more than 2 years ago | (#40526975)

Indeed. Javascript should be disabled by default in any browser, and the user should have to whitelist the sites she wants it enabled for. Anything else is gross negligence on the part of browser writers.

The evidence JS is unsafe cannot be disputed.

Re:Firefox + NoScript (0, Insightful)

Anonymous Coward | more than 2 years ago | (#40527095)

The evidence anything executable is unsafe cannot be disputed.

FTFY. That includes JS, NPAPI, ActiveX, NaCl and whatever somebody will think up next.

I've turned JS off in my Opera (can whitelist individual sites through F12 - Site preferences - Scripting), and plugins are configured to run on click.

Re:Firefox + NoScript (4, Insightful)

JDG1980 (2438906) | more than 2 years ago | (#40529007)

If you run NoScript, essentially every web site in existence is broken by default and has to be whitelisted. If you get into the habit of auto-allowing everything, you're no safer than you would be without it installed, and if you don't, then you have to manually spend 5 minutes picking and choosing which scripts you have to enable for the page to work.

Re:Firefox + NoScript (0)

Anonymous Coward | more than 2 years ago | (#40529111)

Exactly my words. Wish I had mod points.

Re:Firefox + NoScript (2)

Trilkin (2042026) | more than 2 years ago | (#40530617)

More like 10 seconds. It's a compromise worth the time.

Re:Firefox + NoScript (1)

w.hamra1987 (1193987) | more than 2 years ago | (#40539109)

that's why i prefer "request policy" much more than noscript, i dont use noscript.

with "request policy" it blocks any external resources, and allows any script being loaded or run from the same domain you're visiting. malicious adds and scripts are always external, and you're safe. with many sites, like slashdot, you have external elements and scripts from a domain being used as CDN, you can whitelist it in 2 clicks, and keep the rest blocked. very easy, and maintains compatibility and security.

Re:Firefox + NoScript (1)

trifish (826353) | more than 2 years ago | (#40529125)

No problem isn't solved. But believe whatever you want.

Lowest common denominator (1)

Anonymous Coward | more than 2 years ago | (#40526897)

Unfortunately, the changes prove once again that the criminal economy online is alive and well.

Just in case you were living under a rock in fantasyland with the cyber fairies where the robot unicorns roam free unhampered by criminals...

Re:Lowest common denominator (1)

slyrat (1143997) | more than 2 years ago | (#40530529)

Just in case you were living under a rock in fantasyland with the cyber fairies where the robot unicorns roam free unhampered by criminals...

You leave my robot unicorns out of this!

Before a knee jerk posts... (5, Insightful)

trifish (826353) | more than 2 years ago | (#40526901)

Before a knee jerk posts "I use NoScript -- I'm safe!"...

This doesn't mean that JavaScript is insecure. It just means there's an exploitable unpatched vulnerability in JS in some browser. The fact that this malware uses JavaScript + iframe doesn't mean JavaScript is inherently insecure or less secure than bare HTML.

And now the worst news of all for you: the HTML engine (or any other portion) of the browser can and often does contain exploitable unpatched vulnerabilities. So even if you disable JavaScript you can get infected.

The bottom, line the best way to protect yourself is honor the following three golder rules:

1. Keep your browser and OS updated with security fixes.

2. Don't visit suspicious websites and don't open suspicious email attachments.

3. Use a good antivirus that monitors your internet traffic.

Profit?

Re:Before a knee jerk posts... (0)

Anonymous Coward | more than 2 years ago | (#40526939)

You don't know how plugins work with modern browsers. Please stop pretending that you do.

Without the JS redirect, there is no avenue for infection. Period. NoScript will stop this, properly configured. Period. Because of the nature of the kit, most antivirus products WILL NOT protect you from the threat. Period.

Re:Before a knee jerk posts... (4, Insightful)

f3rret (1776822) | more than 2 years ago | (#40526993)

You don't know how plugins work with modern browsers. Please stop pretending that you do.

Without the JS redirect, there is no avenue for infection. Period. NoScript will stop this, properly configured. Period. Because of the nature of the kit, most antivirus products WILL NOT protect you from the threat. Period.

Yes this particular exploit (and any other JS based exploits, probably). Guy you are replying to said that while NoScript might protect you from JS based exploits, it does not protect you from exploits that targets elements not affected by NoScript or exploits aimed at NoScript itself.

The internet is a dangerous place, sometimes bad stuff slips through the cracks. There isn't a silver bullet solution that will keep you 100% safe 100% of the time.

Re:Before a knee jerk posts... (2)

Viol8 (599362) | more than 2 years ago | (#40527183)

"The internet is a dangerous place"

Not that you're overegging it at all. The internet may be many things but dangerous it isn't. Not until someone plugs a browser into an industrial robot.

"There isn't a silver bullet solution that will keep you 100% safe 100% of the time."

I've been using the internet for 20 years and the web since about 1995. I've never once had a machine become infected with malware or a virus despite never using a virus scanner though I will admit someone once hacked an ftp server I hadn't upgraded. Want to know my secret? Its called unix/linux.

Re:Before a knee jerk posts... (3, Insightful)

Anonymous Coward | more than 2 years ago | (#40527473)

How do you know you have never had an infection if you don't occasionally scan? Exploits for Linux-based systems have been found in the wild before -- Red Hat releases patches on an almost daily basis. You are certainly /more/ secure than a Windows user, but the only truly secure system is the one without both power and network connectivity. You are advocating a poor security posture by suggesting that Linux users need not worry about infection.

Re:Before a knee jerk posts... (0)

Anonymous Coward | more than 2 years ago | (#40528089)

And no one has ever opened your home's door and snooped around while you are out. How would you know if you don't check?

Re:Before a knee jerk posts... (0)

Anonymous Coward | more than 2 years ago | (#40531883)

"Not until someone plugs a browser into an industrial robot."

I laughed out loud upon reading that, because I thought about our US government, which had a virus tailor made to infect industrial computers and cause real physical damage (in one case quite dangerous) to the equipment, in hopes of impeding nuclear weapons development in Iran.

It was bouncing around the internet for weeks, everyone on high alert because it had been detected, but hadn't "triggered" yet.

Then it got in exactly as planned through a spoofed email.

Bottom line people, don't plug your industrial LAN into the WAN!

BTW: Tor Browser seemed unaffected by the iFrame exploit. I haven't found anything about how it handles Java when allowed but the machine I was testing it on had the vulnerability assessment page whitelisted to allow pretty much everything. I was working from the assumption that a local user would click Allow on anything the website requested in order to view the latest links. Can anyone clear this up for me? Does Tor Browser trim iFrame content or was something else possibly blocking it at the system level?

Re:Before a knee jerk posts... (0)

Anonymous Coward | more than 2 years ago | (#40535613)

Let's compare the time you lose to bad flow design to the time I lose removing a virus every couple of years. If you're running a webserver linux makes sense, but for everyday tasks I'll keep windows thank you.

  Yeah let's compare cedega/wine to windows when it comes to gaming...oh shit got it there too. Also my games aren't a chore to install on windows. I think "hardcore" linux advocates just like the extra time it takes to do things. It's like a really bad version of world of warcraft (time-wasting program), but instead of killing shit you're spending free time using wrapper to install your wireless card. Goddamn

As a fairly seasoned linux/unix (yes, both ) I am honestly confused by linux being advocated as a home desktop solution...It's like a chick who isn't as beautiful, but makes up for it with her personality, but oh shit that's not good either. As in linux looks bad, and runs my applications poorly, from an objective standpoint. Things take longer, it's not an opinion.

What is the appeal? To seem "high tech"?

Re:Before a knee jerk posts... (1)

Redmancometh (2676319) | more than 2 years ago | (#40535723)

Goddamn I'm funny.

Period (0)

Anonymous Coward | more than 2 years ago | (#40526999)

Ending your sentences with "period" will not make them automatically un-refutable. Period. :)

Re:Before a knee jerk posts... (2)

plover (150551) | more than 2 years ago | (#40527081)

You're a couple posts behind staving off the knee jerks. However, the safety of NoScript isn't the primary reason I run it. It's the crap that third party scripts "add to browsing experience" that I find useless at best; distracting in most cases of advertising; and tracking sites that are actively harmful to my privacy as well as to the accuracy of the web in general because their results are used by marketers to manipulate search engine results via their SEO activities.

And I would argue against your assertion that JavaScript is secure. The problem is that it's so complex, and that it interacts in so many different ways with browsers, that the many implementers have unintentionally created a seemingly limitless supply of security holes.

Re:Before a knee jerk posts... (2)

Inda (580031) | more than 2 years ago | (#40527295)

NoScript. How can you view the WWW with that installed?

I installed it. Visited a dozen of my favourite sites. Whitelisted half of them, because I trust them. OK so far.

It's the new sites where the problems start. Google says, on the top result, I can convert XYZ online, using forms. Excellent. Only that functionality no longer exists. Maybe the site is broken. Maybe Google is mistaken. Maybe I'll look at the source. Maybe I'll try the next site.

I'm struggling to think of the exact reason I uninstalled it; it all happened so fast. It was missing content; probably forms.

I was writing JS back when it was nasty. I'm fine with the reasons people on Slashdot use NoScript. It does not pass the "Dad check" though. It makes for a crap browing experience. Sites should degrade nicely without JS, but they don't - why would they when 99.9% of people don't know their iFrame object from their multidimensional array?

Re:Before a knee jerk posts... (3, Insightful)

plover (150551) | more than 2 years ago | (#40527807)

Funny, I often wonder how so many people can view with the WWW without NoScript installed! Zooming up fake windows, continually scrolling sidebars, attack ads, "do you want to chat with a representative online" boxes, it seems like there are usually about three things to dismiss before even uncovering most content.

However, I'd certainly agree that NoScript is not for the uninitiated. It doesn't pass the mom test, or even the wife test. Most people just want things to work, and are willing to put up with whatever crap they're served in order to get it. I'm willing to view the static content, and if there's something deeper to explore, I understand up front that I might have to whitelist a few things to get it to work. Note that you can configure NoScript to automatically permit scripts originating from "base 2nd level domains" (i.e. allow everything from *.foobar.com when you're on www.foobar.com), which generally enables local content to work just fine, while still preventing XSS nonsense. The only place where I commonly run into trouble is with video content, as it's generally hosted somewhere else like Vimeo or YouTube, and with third party SSO providers like Yahoo. In all, over many years of browsing I've added some margin of trust for about a hundred sites which seem to have taken care of most of those issues.

Re:Before a knee jerk posts... (1)

plover (150551) | more than 2 years ago | (#40528923)

Oh, and I forgot to mention the most important recovery method: if it's too hard to view, it's just the freakin' web - I go back to my search results and find the info on a different site. There are usually dozens of other sites willing to provide me the information without making me endure their JavaScript stupidity.

Re:Before a knee jerk posts... (0)

Anonymous Coward | more than 2 years ago | (#40530611)

Funny, I often wonder how so many people can view with the WWW without NoScript installed! Zooming up fake windows, continually scrolling sidebars, attack ads, "do you want to chat with a representative online" boxes, it seems like there are usually about three things to dismiss before even uncovering most content.

I've taken to (ab)using AdBlock for that. Pop-over? Tell AdBlock it's an ad, block it. Social toolbar? Tell AdBlock it's an ad, block it. Useless revolving slideshow? Tell AdBlock it's an ad. Stupid "you might be interested in" iFrame? Tell AdBlock it's an ad, because it IS a friggin' ad. Pretty soon, most of your experience is clear of such nonsense.

No, I don't submit these to the filter maintainers, I just use them as a personal blacklist. Though some of them probably qualify as bona fide ads.

Re:Before a knee jerk posts... (0)

Anonymous Coward | more than 2 years ago | (#40532017)

Adding a HOSTS file is by no means a total solution, but it is easy, works on all machines (all Windows versions, all Mac, all Linux, even rooted iOS and Android), blocks both ads and IP phishing images, requires no additional software, is free, and definitely passes the Mom test.

I run three browsers and visit all kinds of questionable dark alleys on the internet, but a HOSTS file and the browser's built-in pop-up blocking take care of nearly all the ads I see. Flash gets through sometimes, as does direct IP linking or a DDNS relay. Hence my reading of this article, as pages and iFrames can't retrieve data from blacklisted IPs, but a clever redirect would avoid that.

Plus it's a blacklist, so it gets outdated after a while.

But I always put a HOSTS file on all my machines and virtual machines. There's just no reason not to.

Re:Before a knee jerk posts... (0)

Anonymous Coward | more than 2 years ago | (#40532125)

Wait, I use four browsers, but Tor Browser doesn't really count because:

A) It's just an old version of Firefox with some plugins.

B) I use Tor Browser via P2P VPN encrypted tunnels through about a dozen peer proxies, in a Virtual Machine that is missing most MS services and reverts to a Snapshot every time you're done using it. If hackers can get anything useful from that, it's because I typed it in for them.

Re:Before a knee jerk posts... (0)

Anonymous Coward | more than 2 years ago | (#40527217)

Or,
  1. use lynx or links
who needs images, js, flash, et al...

Re:Before a knee jerk posts... (2)

firewrought (36952) | more than 2 years ago | (#40529323)

This doesn't mean that JavaScript is insecure. It just means there's an exploitable unpatched vulnerability in JS in some browser. The fact that this malware uses JavaScript + iframe doesn't mean JavaScript is inherently insecure or less secure than bare HTML.

This is the wrong way to see this. A markup language that generates a static DOM (from which a GUI is rendered) is inherently more secure than a programming language that has access to a large set of supposedly sandboxed API's in that, while both can have vulnerabilities, the latter has considerably more "surface" to attack. Exploits may leverage one-off, soon-to-be-patched bugs to do their nasty work, but--statistically speaking--these bugs are going to arise more often in the more complex piece of software, and it's going to keep happening so long as new browser code is being written. NoScript nets a huge surface reduction and big security win here.

And now the worst news of all for you: the HTML engine (or any other portion) of the browser can and often does contain exploitable unpatched vulnerabilities. So even if you disable JavaScript you can get infected.

This is a good reminder. An example would be the 2004 exploit in Microsoft's JPEG code. But it would be interesting to see stats about how often the rendering engine is a vector of attack. I'm thinking it's relatively rare (although part of that would be that JS gets more attention from black hats because it's more fertile ground to begin with).

Re:Before a knee jerk posts... (1)

hesaigo999ca (786966) | more than 2 years ago | (#40529741)

>1. Keep your browser and OS updated with security fixes.
Useless, this is based on a flawed model from the beginning, the OS will always be unsecure,
as it does not follow military grade standards, and the population will always be left to use inferior products

>2. Don't visit suspicious websites and don't open suspicious email attachments.
They do not know in advance if a site is suspicious....until someone detects it...
I can also write javascript code that morphs continuously so that no entity (google) will
permanently block my sites...

and if I don't open email attachments, what is the use of email at all then....
I want to send some files in my email to my boss for review,....
if you say no attachments should be open, that makes emails useless...
and you and I both know even if you trust the source, emails can still contain viruses...

>3. Use a good antivirus that monitors your internet traffic.
AV software don't monitor IP traffic, firewalls do....get an AV with a built in firewall...
Most firewalls bundled with AV are not on the same level as corporate level firewalls....
they are inferior, and only work when people know what to look for...in advance...
most people don't know how to use firewalls...and wont take the time too....
hence why firewalls are useless to a regular end user...

Re:Before a knee jerk posts... (0)

Anonymous Coward | more than 2 years ago | (#40530847)

Here's our present security model for networked applications: Patches on top of patches on top of insecure, poorly designed systems. Putting the onus for security on end users, while simultaneously training end users to click away any annoying window that pops up in front them. Expecting developers to always follow best practices.

Or, maybe we should be designing these systems with security in mind from the ground up?

(sarcasm warning) Oh, but the technorati already know how to defend their systems. If average users are too stupid to take care of their own computers, maybe they shouldn't be on the Internet.

Re:Before a knee jerk posts... (1)

Crag (18776) | more than 2 years ago | (#40531577)

And now the worst news of all for you: the HTML engine (or any other portion) of the browser can and often does contain exploitable unpatched vulnerabilities. So even if you disable JavaScript you can get infected.

I was going to call "citation needed", but then I Googled around and found an example [metasploit.com] .

The bottom, line the best way to protect yourself is honor the following three golder rules:

1. Keep your browser and OS updated with security fixes.

2. Don't visit suspicious websites and don't open suspicious email attachments.

3. Use a good antivirus that monitors your internet traffic.

Profit?

I'm not a fan of antivirus software, but otherwise I completely agree. Defense-in-depth is the only defense.

Re:Before a knee jerk posts... (1)

iiiears (987462) | more than 2 years ago | (#40533021)

How many ad servers do you contact with each page visited?

How motivated would attackers be to compromise any ad server?

Once again? (1)

gmuslera (3436) | more than 2 years ago | (#40527091)

We are seeing every day criminal use of economy, online or not, should not be so surprising.

The editors are being lazy again... (0)

Anonymous Coward | more than 2 years ago | (#40527275)

Is there a site like Slashdot but has editors who read and care about posts? I mean come on guys, the article linked (second link) in the summary has nothing about the flaw in Microsoft's XML Core Services...

correction! (0)

Anonymous Coward | more than 2 years ago | (#40527709)

"Unfortunately, the changes prove once again that the criminal economy(*) online is alive and well."
(*) insert favourit M[ulti-billion]$ corporation here

My website got infected with this Exploit kit (1)

TeriMaKiChooth (1925618) | more than 2 years ago | (#40531009)

This was a senseless attack on my website (www.silversash.com). I was providing an Oracle DBA/Developer tool for free. I had to spend weeks trying all different things to clean it up. Ultimately I wiped out the entire contents and rebuilt the website. May this guy turn into a leper with gnarly fingers !!

A "Fix-It" patch exists from Microsoft... apk (0)

Anonymous Coward | more than 2 years ago | (#40531059)

http://support.microsoft.com/kb/2719615 [microsoft.com]

* And, there you go...

APK

P.S.=> So much for the article's statement of:

"attack that targets a flaw in Microsoft's XML Core Services, which remains unpatched. Unfortunately, the changes prove once again that the criminal economy online is alive and well."

To that?

Ahem: It's only "alive & well", IF YOU'RE STUPID... period!

(Sorry, I have to be as forthcoming as I can & blunt about that much!)

---

For FIREFOX Users:

Others here noted using NoScript - excellent idea, for FireFox users...

---

For OPERA Users:

Opera users have a "by site preferences" that allows users to BLOCK JAVASCRIPT ON ALL SITES (except for the "exceptions sites" that you create - Where you actually NEED it)

---

All of the above SHOULD "do the job" nicely, vs. these online idiots that create malware, easily, per ALL of the above!

... apk

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?