BlackHole toolkit updated to target Microsoft XML flaw

Share this article:

The BlackHole exploit kit, a crimeware application that helps hackers take advantage of software vulnerabilities in order to install malware, has been updated again, this time with an exploit that targets an unpatched vulnerability in Microsoft XML Core Services.

The newly added malicious payload in BlackHole targets a recently disclosed zero-day flaw in the service, Sophos researchers said Friday. Assigned as CVE-2012-1889, the defect allows remote attackers to execute malicious code on a user's computer if they view a specially crafted page using Internet Explorer. In early June, Microsoft admitted the security flaw actively was being exploited in the wild.

It is currently unpatched, although Microsoft has released a Fix-It tool to help organizations mitigate the issue while waiting for the patch. Exploit code for the vulnerability has already been added to the Metasploit penetration testing framework, making it available to anyone.

"As soon as we see exploit kits targeting new vulnerabilities, we can expect to see a lot more users getting infected – especially if the vulnerabilities are zero-days," Fraser Howard, a principal virus researcher at Sophos, wrote Friday on the Naked Security blog. He said he expected to see a "significant portion, if not all," of BlackHole sites to use the new version within days, and was surprised that hasn't happened yet.

BlackHole is one of the more popular crimeware kits available online. Cyber criminals use it to compromise a legitimate site, usually one that is running an outdated version of some off-the-shelf content management system or e-commerce application. Visitors landing on the hacked site then are either redirected or hit with a drive-by download. The kit often takes advantage of vulnerabilities in Java, Adobe Reader or Flash, or Internet Explorer. WordPress blogs are also commonly targeted.

Drive-by download attacks are responsible for the majority of user infections nowadays, and exploit kits such as BlackHole are commonly used to construct these attacks, Howard said.

This is the second major update for BlackHole in recent weeks. As reported last week, the developers have added new functionality to the kit that would automatically redirect users from a compromised website to another actually serving up malware. Before the update, if the original site containing malware changed or was taken down, all the compromised sites needed to be manually modified to point to the new location. With the update, the redirect is automated.

Share this article:

Sign up to our newsletters

More in News

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.

Tech manufacturer's online payment system breached

LaCie confirmed an unauthorized party used malware to access its online payment system for almost a year and could have stolen customer information.

The Heartbleed bug works, and could be a scapegoat for older breaches

The Heartbleed bug works, and could be a ...

Researchers proved the Heartbleed bug was real in a challenge issued by CloudFlare to prove private keys can be stolen, right around the time companies are claiming they were breached ...