News Stay informed about the latest enterprise technology news and product updates.

Black Hole kit fuels drive-by attacks, rogue antivirus declines, Sophos finds

The Black Hole crimeware kit has caused drive-by attacks to surge, according to the Sophos 2012 threat report.

Researchers at Sophos are seeing an increase in drive-by attacks, while fake antivirus software has been declining in the last 6 months.

The attacks we see against organizations are more targeted attacks where criminals are looking to steal specific data or more valuable data than you could get from someone at home. You get significantly more information

 Richard Wang, Sophos analyst

Rogue antivirus software, a common and convincing form of malware that sells itself to users as protection against viruses while dumping malicious code onto their PCs, now makes up only 3% of how Web-based threads are spreading. Meanwhile, drive-by downloads, driven by the Black Hole exploit kit, are now far more prominent, according to the Sophos 2012 security threat report, “Seeing the Threats Through the Hype,” which is being released Wednesday.

“Cypercriminals can purchase the [crimeware] kits to attack websites and the people who visit those sites,” said Sophos analyst Richard Wang. “We looked at some of the data that was coming back from the field and about 67% of the attacks were Web redirections controlled by attackers. Thirty-one percent of those were related to the Black Hole exploit kit.”

Black Hole was sold for up to $1,500, according to security vendor Zscaler Inc., but following the release of the Zeus source code the kit was made freely available.  Crimeware kits enable someone with no experience in writing malicious code to distribute malware by infecting a vulnerable website.  The malicious code, often Javascript, runs in the background of a browser. The attack occurs when the user visits an infected site and is redirected to a malicious page hosting components of the kit. The kit scans the user’s browser and any attachments or plug-ins he/she might have installed that are not updated with the most recent patches, and exploits them.

The most commonly exploited plug-ins continue to be Adobe Flash Player and PDF Reader and Java plug-ins, mostly because they are the most commonly available, Wang said.

Wang said crimeware kits are hard to detect and dangerous because they are easy for cybercriminals to update as software patches are issued and new vulnerabilities are revealed.

Users running third-party applications are particularly at risk, said Wang, because their updates are not issued as regularly as Microsoft’s Patch Tuesday, and users may not automatically receive notification of updates that are made available.

Wang suggested the best way to be protected against this type of attack is to run the newest version of every application and plug-in. “There is also security software that does content inspection on the websites you visit for redirections or Black Hole attacks and blocks them before the attack can happen,” he added.

It never hurts to add an extra layer of protection, especially for corporations. It may be enough for an independent user to regularly run and update legitimate antivirus software, but companies with more valuable data should take extra precautions.

“The attacks we see against organizations are more targeted attacks where criminals are looking to steal specific data or more valuable data than you could get from someone at home. You get significantly more information,” Wang said.

Businesses can run programs that analyze patterns in the use of their systems and notify IT professionals if anything seems unusual. They are then charged with investigating the irregularity, which could be due to the addition of new software on the part of the company or as the result of malware intrusion.

Hactivism threat rises
Specific industries have lately been the target of many Web-based attacks by hacktivist groups like Anonymous.

“In terms of hacktivism, it is usually the government or the media companies that suffer the most because they are either the most public or most associated with things that the hacktivists don’t like,” Wang said. Some recent targets include HBGary, the U.S. Department of Justice, FBI and Universal Studios Entertainment, which were hacked this week in retaliation of the shut-down of by the U.S. government.

“The variety of targets seems to show that almost any institution could be at risk, although only a tiny minority are affected by hacktivist attacks,” according to the report.

“…Hacktivism doesn’t mean that companies outside of government or media aren’t at risk. Other attacks are about financial gain,” Wang said. Major financial institutions and banks are often targeted in order to obtain customer account and login information, which is sent to a remote server from a PC or mobile device.

According to Wang, Sony was the poster child for hacktivism in 2011. “They’re the ones that nobody wants to be when they get hacked,” he said. The attack brought down online PlayStation systems, which remained offline for weeks while the attack was investigated, effectively acting as a denial-of-service attack.

Conficker infections continue
Modern hacking techniques—Black Hole, man-in-the-browser, denial-of-service attacks and the like—are not the only techniques being used by cybercriminals today. Malware as old as the Conficker worm is still prominent.

“More than three years after its initial release, the Conficker worm is still the most commonly encountered piece of malicious software, representing 14.8% of all infection attempts seen by Sophos customers in the last six months,” Sophos reported.  And it’s not going away, either.

“Any up-to-date antivirus software should be able to get rid of [Conficker],” Wang said. Some PCs are still infected due to “people with no or outdated antivirus, or people who ignore it.”

Most reports of the worm come from PCs that are well protected against it, and are simply reporting failed attempts at infections. So while still out there, Conficker has become less effective.

A task force, the Conficker Working Group was set up in 2009 to combat Conficker and has gained the upper hand. According to Wang, Conficker mostly populates computers that have outdated antivirus software and runs undetected in the background. The danger is that if left undetected, malware could interfere with other software on a PC, even if it isn’t communicating information to a remote server.

“Looking forward to the next year or so, one of the biggest security challenges we’re going to see in the next 12 months is taking the protections we have and making sure we don’t ignore those systems as we move to the mobile platforms and the cloud,” Wang said.

He warns that attackers will first employ the means they know to be useful on PCs when attacking mobile devices and cloud-based systems.

“Cybercriminals will continue to stalk the easiest prey—those who don’t follow the simple security measures we should have learned by now.”

Dig Deeper on Web browser security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.