Blackhole Drive-by Malware of Choice

Friday, October 5, 2012 @ 04:10 PM gHale

Malware created using the Blackhole toolkit is on nearly one third of all malicious web links, new research found.

That means drive-by downloads are becoming the cyber crooks attack of choice, according to a team of researchers at Google, the International Computer Science Institute and U.S. universities.

Pushdo Trojan a Master of Disguise
Warning: Google Alert Contains Trojan
Cross-Platform Trojan Steals Passwords
Virus Pieces Together Inside System

The team studied more than 77,000 malicious URLs identified using Google’s Safe Browsing – a tool Google uses to identify sites carrying malicious payloads.

They then attempted to analyze the code located on these sites, analyzing the malware distributed and the tools used to create it.

Nearly half of all web pages serving exploits used two toolkits: Blackhole and Incognito. As it turned out, the researchers found Blackhole created 29 percent of served exploits.

“Driveby downloads — webpages that attempt to exploit a victim’s browser or plugins (e.g. Flash, Java) — have emerged as one of the dominant vectors for infecting hosts with malware,” said Kurt Thomas, a researcher at the University of California in Berkeley that was involved in the study. “This revolution in the underground ecosystem has been fueled by the exploit-as-a-service marketplace, where exploit kits such as Blackhole and Incognito provide easily configurable tools that handle all of the ‘dirty work’ of exploiting a victim’s browser in return for a fee.”

But while crooks brought together exploit creation kits, the types of malware distributed varies enormously. The researchers found over 32 families of malware, ranging from droppers, fake anti-virus software, information stealers and browser hijacking.
One interesting aspect is the drive-by websites are typically only operational for an average of 2.5 hours, the researchers said.

While the lifespan timeframe is interesting, in that 2.5 hours the bad guys are able to infect thousands of users.

While most in the industry are aware of the dangers of drive-by downloads, the researchers warned the proliferation of malware toolkits such as Blackhole is helping grow the exploit.

“The means by which a host initially falls under an attacker’s control are now independent of the means by which another attacker abuses the host in order to realize a profit, such as sending spam, information theft, or fake anti-virus,” Thomas said.

Click here to view a white paper on the subject.

Leave a Reply

You must be logged in to post a comment.