Incident Response, Malware, TDR, Vulnerability Management

BlackHole toolkit updated to target Microsoft XML flaw

The BlackHole exploit kit, a crimeware application that helps hackers take advantage of software vulnerabilities in order to install malware, has been updated again, this time with an exploit that targets an unpatched vulnerability in Microsoft XML Core Services.

The newly added malicious payload in BlackHole targets a recently disclosed zero-day flaw in the service, Sophos researchers said Friday. Assigned as CVE-2012-1889, the defect allows remote attackers to execute malicious code on a user's computer if they view a specially crafted page using Internet Explorer. In early June, Microsoft admitted the security flaw actively was being exploited in the wild.

It is currently unpatched, although Microsoft has released a Fix-It tool to help organizations mitigate the issue while waiting for the patch. Exploit code for the vulnerability has already been added to the Metasploit penetration testing framework, making it available to anyone.

"As soon as we see exploit kits targeting new vulnerabilities, we can expect to see a lot more users getting infected – especially if the vulnerabilities are zero-days," Fraser Howard, a principal virus researcher at Sophos, wrote Friday on the Naked Security blog. He said he expected to see a "significant portion, if not all," of BlackHole sites to use the new version within days, and was surprised that hasn't happened yet.

BlackHole is one of the more popular crimeware kits available online. Cyber criminals use it to compromise a legitimate site, usually one that is running an outdated version of some off-the-shelf content management system or e-commerce application. Visitors landing on the hacked site then are either redirected or hit with a drive-by download. The kit often takes advantage of vulnerabilities in Java, Adobe Reader or Flash, or Internet Explorer. WordPress blogs are also commonly targeted.

Drive-by download attacks are responsible for the majority of user infections nowadays, and exploit kits such as BlackHole are commonly used to construct these attacks, Howard said.

This is the second major update for BlackHole in recent weeks. As reported last week, the developers have added new functionality to the kit that would automatically redirect users from a compromised website to another actually serving up malware. Before the update, if the original site containing malware changed or was taken down, all the compromised sites needed to be manually modified to point to the new location. With the update, the redirect is automated.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.