Blackhole exploits lead a black month for malware

In October, GFI Software threat researchers uncovered a large number of Blackhole exploits disguised as Windows licenses (just prior to the release of Windows 8), Facebook account verification emails, Skype voicemail notifications, and spam messages.

“The Blackhole exploit kit is one of the biggest dangers that internet users face because it is the chameleon of internet threats. It simplifies the process of creating cybercrime campaigns and is easily adapted to take advantage of the buzz surrounding major news events and popular brands,” said Christopher Boyd, senior threat researcher at GFI Software.

“Luckily, these attacks are relatively easy to avoid by incorporating basic internet safety practices into daily browsing. Users should verify the source and destination of any link before clicking and they should never run executable files unless they are positive that the source is legitimate,” Boyd added.

Blackhole exploits require victims to open links to compromised websites hosting a file that must be downloaded and executed in order to complete the attack. This file contains a JavaScript which scans for unpatched software and other vulnerabilities before deploying the appropriate exploits and infecting a machine.

The compromised links can be customised to target customers of specific companies, members of various social networking sites, or general internet users seeking information on popular news stories and events. Patching software can be automated on home PCs with VIPRE AV’s Easy Update technology, for example.

Just days before the release of Windows 8, some users encountered spam emails offering a free “Microsoft Windows License.” Users who clicked the malicious link and downloaded the accompanying file were hit with a Blackhole exploit and infected with a Cridex Trojan.

Another spam email campaign targeted Facebook users with a message claiming that their account was locked and needed to be re-verified. The links led to Blackhole exploits and a Zeus Trojan disguised as an Adobe Flash Player download.

Skype users were also targeted by multiple campaigns last month. Some received spam emails containing phony voicemail notifications. Users who clicked on the Blackhole links were infected with a Zeus Trojan. Other users were confronted with spam messages from their Skype contacts containing generic questions about their profile picture and a link to a Trojan which infected their systems, deleted itself and began making DNS requests to various malicious URLs.

While many of these sites were quickly taken down, the spam campaign began hijacking victims’ PCs for click fraud and directing them to ransomware messages, demanding payment of fines for illegal file sharing.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss