In the last month, there has been a big spike in the volume of Carberp infections related to attacks from sites hosting Black Hole, mostly exploiting Java vulnerabilities.
Much of the jump in activity has occurred in Russia, and the attackers are targeting online payment systems primarily. The rise in Carberp infections isn’t limited to Russia. Attackers are using sites that have previously suffered an infection from Black Hole as launching points for drive-by download attacks against visitors and install Carberp after the exploit attempt succeeds.
“Based on the statistics obtained from one of the nodes hosting an active Black Hole exploit pack, the most frequently exploited vulnerabilities leading to system infection with malware are found in Java software,” said David Harley of antivirus software provider Eset. “In the last year Java has outpaced last year’s ‘leaders’ in exploitable application formats such as PDF and SWF (Adobe Flash file format), which are now more or less equal in second place. The vulnerabilities in Java are easier and more consistently exploitable than those in PDF and SWF. The code required for a working exploit is fairly small, and may be only a page in length. The exploited vulnerabilities aren’t really new: Some of them are more than a year old.”
The findings regarding Java vulnerabilities are in line with what researchers at Microsoft said. The company found Java exploits have far outpaced attacks against vulnerabilities in any other piece of software in the last year, and that many of the attacks on Java are targeting older patched vulnerabilities. Java is ubiquitous and users seem to be slow in updating it, which leaves attackers with a lot of potentially vulnerable targets.
Attackers using the Black Hole-Carberp combo are taking full advantage of that situation. Their infection method is fairly simple and familiar, with malicious code hosted on a legitimate Web site, which then redirects victims to sites that house the Black Hole kit. The kit then fires off exploits against the user’s browser, and, if successful, downloads and installs Carberp.
“Once the vulnerability has been successfully exploited the dropper is executed: In this case it is Carberp that is being dropped. To prevent antivirus software detecting the dropper the Black Hole exploit kit includes functionality for measuring dropper detections by the most widely used antivirus software. When the number of detections reaches a defined value the dropper is repacked by the service responsible for it,” Harley said.