Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2013
    S M T W T F S
    « Feb   Apr »
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for March 1st, 2013




    In our 2013 Security Predictions, we predicted that conventional malware will focus mainly on refining tools instead of creating new threats. A perfect example of this prediction is how Blackhole Exploit Kit continuously attempts to circumvent the efforts done by the security industry. True enough, we recently received reports of a Blackhole Exploit Kit (BHEK) run that incorporated an exploit (detected by Trend Micro as JAVA_ARCAL.A) targeting the recently patched CVE-2013-0431.

    If users can still recall, this vulnerability is part of the Java zero-day ruckus last January. This slew of critical incidents led Oracle to release an out-of-band security update to quickly address the issue. However, this release raised some crucial questions.

    This particular BHEK run starts with spammed messages spoofing PayPal. When users click the item number indicated in these messages, they are led to several redirecting sites until they arrive at the page hosting the encrypted BHEK code. This code then checks the vulnerable system for versions of Adobe Reader, Flash Player, and Java. This determines which exploit (and subsequent payload) are downloaded onto the system.

    Spam-sample-BHEK-fakepaypal

    Figure 1. Sample spoofed PayPal email message

    In the testing we did, the BHEK code found certain versions of Adobe Reader, which prompted it to download and execute a malicious .PDF file (detected as TROJ_PIDIEF.MEX), which exploits an old vulnerability in CVE-2010-0188.

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice