Last week’s Java zero-day vulnerability has been exploited by many exploit kits in the wild, including the familiar Blackhole Exploit Kit.
In this blog entry, we thought we would describe some of the outbreaks related to this attack we’ve seen in the past week or so. Our automated processes that are a part of the Trend MicroT Smart Protection NetworkT started detecting and blocking these attacks as soon as they were spotted in the wild.
A number of methods have been used to direct Internet users to the landing pages hosting these attacks, including:
- Spam runs
- Compromised sites
- Redirection from pornographic websites
- Malvertising
The usage of multiple ways to direct users to malicious sites definitely increase the chances of users stumbling into them, thus increasing the risk. In terms of the spam runs, we also saw several types of lures used:
- Fake LinkedIn messages
- Fake antivirus notifications
- Faxes purporting to come from eFax
- Fake Western Union money transfers
The spammed messages contained links that would redirect users to compromised websites – which would then redirect to malicious landing pages. Landing pages are meant for two purposes: to scan the systems for any vulnerabilities, and to redirect to a corresponding exploit once a vulnerability is found.
Looking at just one of the attacks using this new Java exploit, we were able to identify more than 300 malicious domains hosting landing pages, which were hosted on more than 100 servers.
Almost half of the domains seen were hosted on the most well-recognized top-level domains: .com, .org and .net.
Trend Micro Deep Security users are also recommended to apply the rule 1005178 – Java Applet Remote Code Execution Vulnerability – 2 to protect from threats seen exploiting this Java vulnerability.
Leave a reply
