New Java 0-day is the BlackHole King

by on | Leave a comment
Filed under Research Lab and tagged , , .

BlackHole is the most popular exploit kit used by cybercriminals today. According to our research, over 85 percent of the infeced servers which are using exploit kits are serving exploits by BlackHole.

Recently, a new 0-day vulnerability in Java was discovered in the wild
by FireEye. It didn’t take more than a day for the BlackHole malware author to add this exploit to the BlackHole arsenal.

The author was in such a hurry, that vendor F-Secure believes that he decided to keep some of the functionality and variable names from the original code.

Including an unpatched 0-day vulnerability in an exploit kit is the worst nightmare for any IT security manager, especially if it is the most popular exploit kit. Therefore, it wasn’t a surprise for us to discover an increase in the numbers of infections due to the new BlackHole version which now includes the new Java 0-day (CVE-2012-4681).

Usually, a good exploit kit like BlackHole has a success rate of around 10 percent for infecting machines visiting the servers. In the new version of BlackHole infection servers, we have seen up to a 25 percent success rate! (see Figure 1 and Figure 2)

Furthermore, statistics show that Java exploits in BlackHole servers are 75 to 99 percent successful (see Figure 3).
We were able to count tens of thousands of new infected machines due to the Java 0-day, since the exploit was added to the BlackHole exploit kit.


Figure 1: BlackHole exploit kit statistics with 21% success rate. ~99% are of Java!

Figure 2: BlackHole exploit kit statistics with 24% success rate.

Figure 3: Statistics from BlackHole exploit kits with over 75% of successful exploits are Java.

We recommend to disable Java plug-ins from all installed browsers until a vendor patch is available. Brian Krebs provides a good explanation on how to do so.

[UPDATE 30-Aug-2012]: Oracle has just released an update for Java (7.0 update 7) which should fix this 0-day vulnerability. You can download it form here. An advisory from Oracle can be found here.

Is your network compromised? Take a free trial of Seculert and discover threats your other security solutions have missed.

2 thoughts on “New Java 0-day is the BlackHole King

  1. Anonymous

    Why don’t the statistics mention anything about the new Java exploit? They still say say ‘Java Array’ which is the old CVE-2012-0507. Or did they just forget to change the name in the panel?

    Reply
  2. Anonymous

    Do you have any information about how the malware got on the servers? That would be more useful to stopping it than user actions.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>