Advertisement
<a href="http://krebsonsecurity.com/public-java-exploit-amps-up-threat-level/?administer_redirect_13=http://abaca.com/free_trial.html"><img src="/a-ab/missing.gif" /></a>
  • About the Author
  • About this Blog

    • Posts Tagged: exploit pack

    Latest Warnings / Time to Patch41 Comments
    30
    Nov 11

    Public Java Exploit Amps Up Threat Level

    An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows, Mac and Linux systems.

    On Monday, I disclosed how the Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike. According to a post on the Metasploit blog today, the Java vulnerability “is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.

    Metasploit also posted the results of testing the exploit against a variety of browsers and platforms, and found that it worked almost seamlessly to compromise systems across the board, from the latest 64-bit Windows 7 machines to Mac OS X and even Linux systems.

    This development should not be taken lightly by any computer user. According to Sun’s maker Oracle, more than three billion devices run Java. What’s more, Java vulnerabilities are by some accounts the most popular exploit paths for computer crooks these days. On Monday, Microsoft’s Tim Rains published a blog post noting that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK).

    Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.025 Comments
    10
    Jan 11

    Exploit Packs Run on Java Juice

    In October, I showed why Java vulnerabilities continue to be the top moneymaker for purveyors of “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities. Today, I’ll highlight a few more recent examples of this with brand new exploit kits on the market, and explain why even fully-patched Java installations are fast becoming major enablers of browser-based malware attacks.

    Check out the screenshots below, which show the administration page for two up-and-coming exploit packs. The first, from an unusually elaborate exploit kit called “Dragon Pack,” is the author’s own installation, so the percentage of “loads” or successful installations of malware on visitor PCs should be taken with a grain of salt (hat tip to Malwaredomainlist.com). Yet, it is clear that miscreants who purchase this pack will have the most success with Java flaws.

    This blog has a nice writeup — and an additional stats page — from a compromised site that last month was redirecting visitors to a page laced with exploits from a Dragon Pack installation.

    The second image, below, shows an administrative page that is centralizing statistics for several sites hacked with a relatively new $200 kit called “Bleeding Life.” Again, it’s plain that the Java exploits are the most successful. What’s interesting about this kit is that its authors advertise that one of the “exploits” included isn’t really an exploit at all: It’s a social engineering attack. Specifically, the hacked page will simply abuse built-in Java functionality to ask the visitor to run a malicious Java applet.

    On Dec. 29, the SANS Internet Storm Center warned about a wave of Java attacks that were apparently using this social engineering approach to great effect. The attacks were taking advantage of built-in Java functionality that will prompt the user to download and run a file, but using an alert from Java (if a Windows user accepts, he or she is not bothered by a separate prompt or warning from the operating system).

    “If you don’t have any zero-days, you can always go back to exploiting the human!” SANS incident handler Daniel Wesemann wrote. “This is independent of the JRE version used – with JRE default settings, even on JRE1.6-23, all the user has to do is click ‘Run’ to get owned.  The one small improvement is that the latest JREs show ‘Publisher: (NOT VERIFIED) Java Sun’ in the pop-up, but I guess that users who read past the two exclamation marks will be bound to click ‘Run’ anyway.”

    Continue reading →

    Latest Warnings / The Coming Storm / Time to Patch34 Comments
    18
    Oct 10

    Microsoft: ‘Unprecedented Wave of Java Exploitation’

    Microsoft Corp. today warned that it is seeing a huge uptick in attacks against security holes in Java, a software package that is installed on the majority of the world’s desktop computers.

    In a posting to the Microsoft Malware Protection Center blog, senior program manager Holly Stewart warned of an “unprecedented wave of Java exploitation,” and confirmed findings that KrebsOnSecurity.com published one week ago:  Java exploits have usurped Adobe-related exploits as attackers’ preferred method for breaking into Windows PCs.

    Image courtesy Microsoft

    Stewart said the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions,” she added. Indeed, according to Microsoft’s one-year anniversary post for its Security Essentials anti-malware tool, exploits for a Java vulnerability pushed the Renos Trojan to the top of the list for all malware families (malware and exploits) detected in the United States.

    My research shows the reason for the spike, and it precedes the 3rd quarter of 2010: Java exploits have been folded into a number of the top “exploit packs,” commercial crimeware kits sold in the hacker underground that make it simple to seed hacked or malicious sites with code that exploits a variety of browser flaws in a bid to install malware.

    Stewart asks, “Why has no one been talking about Java-based exploits?” Then she answers her own question:

    Continue reading →

    Other42 Comments
    5
    Aug 10

    Crimepack: Packed with Hard Lessons

    Exploit packs — slick, prepackaged bundles of commercial software that attackers can use to booby-trap hacked Web sites with malicious software — are popular in part because they turn hacking for profit into a point-and-click exercise that even the dullest can master. I’ve focused so much on these kits because they also make it easy to visually communicate key Internet security concepts that otherwise often fall on deaf ears, such as the importance of keeping your software applications up-to-date with the latest security patches.

    One of the best-selling exploit packs on the market today is called Crimepack, and it’s a kit that I have mentioned at least twice in previous blog posts. This time, I’ll take a closer look at the “exploit stats” sections of a few working Crimepack installations to get a better sense of which software vulnerabilities are most productive for Crimepack customers.

    Check out the following screen shot, taken in mid-June from the administration page of a working Crimepack exploit kit that targeted mostly German-language Web sites. This page shows that almost 1,800 of the nearly 6,000 people who browsed one of the stable of malicious sites maintained by this criminal got hacked. That means some software component that 30 percent of these visitors were running either in their Web browsers or in the underlying Windows operating system was vulnerable to known software flaws that this kit could exploit in order to install malicious software.

    Peering closer at the exploit stats, we see that one exploit was particularly successful: Webstart. This refers to a Java vulnerability that Oracle/Sun patched in April 2010, a powerful and widely-deployed software package that many users aren’t even aware they have on their systems, let alone know they need to keep it updated. (By the way, I got some serious flack for recommending that users who have no need for Java uninstall the program completely, but I stand by that advice.) As seen from the chart, this single Java flaw was responsible for nearly 60 percent of the successful attacks on visitors to these hacked sites.

    Continue reading →

    A Little Sunshine / Web Fraud 2.014 Comments
    16
    Apr 10

    iPack Exploit Kit Bites Windows Users

    Not long ago, there were only a handful of serious so-called “exploit packs,” crimeware packages that make it easy for hackers to booby-trap Web sites with code that installs malicious software.

    These days, however, it seems like we’re hearing about a new custom exploit kit every week. Part of the reason for this may be that more enterprising hackers are seeing the moneymaking potential of these offerings, which range from a few hundred dollars per kit to upwards of $10,000 per installation — depending on the features and plugins requested.

    Take, for example, the iPack crimeware kit, an exploit pack that starts at around $500.

    Continue reading →

    Web Fraud 2.037 Comments
    31
    Dec 09

    Virus Scanners for Virus Authors

    I have often recommended file-scanning services like VirusTotal and Jotti, which allow visitors to upload a suspicious file and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers so that those vendors can incorporate detection for the newly discovered malware into their products.

    That pooling of intelligence on new threats also serves to make the free scanning services less attractive to virus authors, who would almost certainly like nothing more than to freely and simultaneously test the stealth of their new creations across a wide range of security software. Still, there is nothing to stop an enterprising hacker from purchasing a license for each of the anti-virus tools on the market and selling access to a separate scanning service that appeals to the virus-writing community.

    Enter upstart file-scanning services like av-check.com and virtest.com, which bank on the guarantee that they won’t share your results with the anti-virus community.

    For $1 per file scanned (or a $40 monthly membership) av-check.com will see if your file is detected by any of 22 anti-virus products, including AVAST, AVG, Avira, BitDefender, NOD32, F-Secure, Kaspersky, McAfee, Panda, Sophos, Symantec, and Trend Micro. “Each of them is setten [sic] up on max heuristic check level,” av-check promises. “We guarantee that we don’t save your uploaded files and they are deleted immediately after the check. Also , we don’t resend your uploaded files to the 3rd person. Files are being checked only locally (without checking/using on other servers.” In other words: There is no danger that the results of these scans will somehow leak out to the anti-virus vendors.

    The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine, such as VMWare or VirtualBox. For safety and efficiency’s sake, security researchers often poke and prod new malware samples in a virtual environment. As a result many new families of malware are designed to shut down or destroy themselves if they detect they are being run inside of a virtual machine.

    Virtest checks malware suspicious files against a similar albeit slightly different set of anti-virus programs, also promising not to let submitted files get back to the anti-virus vendors: “Your soft isn’t ever sent anywhere and the files being checked will never appear in the fresh AV signature bases after scanning,” the site pledges. “On purpose in all AV-products are turned off all possible methods and initiatives of exchange of files’ info with the AV-divisions.”

    The proprietors of this service don’t even try to hide the fact that they have built it for malware writers. Among the chief distinguishing features of virtest.com is the ability for malware authors to test “exploit packs,” pre-packaged kits that — when stitched into a malicious or hacked Web site — serve the visitor’s browser with a kitchen sink full of code designed to install software via one of several known security holes. Many anti-virus programs now also scan Web pages for malicious content, and this service’s “exploits pack check” will tell malware authors whether their exploit sites are triggering virus alerts across a range of widely-used anti-virus software.

    But don’t count on paying for these services via American Express: Both sites only accept payment via virtual currencies such as Webmoney and Fethard, services that appear to be popular with the online shadow economy.