Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Lately, we have been seeing a renewed increase in the volume of spam attacks that utilize an exploit kit, specifically the BlackHole Exploit Kit to trigger a malicious payload. We have seen this in the latest slew of Automated Clearing House (ACH) spam attacks and the more recent spam run related to Steve Jobs’s death.

    In this post, we will reorient readers on the infection chain of such an attack to help them understand why basic mitigation practices are still effective and can help them protect themselves from today’s threats.

    In a typical spam campaign that involves malware, cybercriminals lure users through social engineering to perform several actions before the intended payload gets executed. For example, a user needs to download, extract, and execute a supposedly “benign” file for a spam attack to succeed.

    Spam campaigns that use exploit kits, however, are a bit more dangerous since these only need to lure the users into clicking a malicious link for the rest of the infection to take place.

    Below is an example of this type of spam supposedly from the National Automated Clearing House Association (NACHA). NACHA manages the ACH network, which facilitates bulk payment transactions involving businesses, governments, and consumers. Users who are more likely to receive email from NACHA conduct transactions related to payroll, government benefits, tax refunds, and others.

    Click for larger view

    In the spam screenshot above, we can see that the link points to a dubious-looking domain that is not related to NACHA. A blank page is displayed when users click the link. This blank page is actually a gateway page that contains the following obfuscated JavaScript:

    Click for larger view

    When decrypted, we can see that the script attempts to embed an iframe pointing to another malicious site, which uses the BlackHole Exploit Kit:

    Click for larger view

    Once the iframe is loaded, content is also loaded from the BlackHole Exploit Kit site, which again contains a highly obfuscated script. Upon decoding the code, we can now see the actual code that searches for vulnerable software and uses the appropriate exploits.

    The BlackHole Exploit Kit exploits vulnerabilities both in third-party applications like Adobe Acrobat and Flash Player and Java as well as in Windows components like Microsoft Data Access Components (MDAC) and Help and Support Center (HCP).

    Click for larger viewSuccessful exploitation executes a shellcode that triggers the download and execution of malware. We observed that these attacks have been used to spread ZeuS variants although these may also be used to spread other malware.

    Multilayer Mitigation

    As a reminder to users, here are some ways to prevent this kind of threat from affecting their systems:

    • Be aware of social engineering attacks. The majority of online attacks today utilize social engineering before the malware can exhibit technical infection payloads. By being wary of what you do online, infections can already be mitigated from the onset. Simple common sense like not entertaining unsolicited email can go a long way in keeping your personal information safe online.
    • Always check for malicious links. Check what URLs point to. It is also a good practice to copy and paste a URL onto your browser’s address bar instead of directly clicking links.
    • Consider disabling JavaScript in your browser. As mentioned earlier, the gateway and the BlackHole Exploit Kit pages both used JavaScript. The same is true for a lot of threats today that use browsers to execute malicious payloads. As such, it is a good idea to consider disabling JavaScript in your browser and only allow it to do so in your trusted sites, if necessary.
    • Always remember to patch. The BlackHole Exploit Kit utilizes exploits that affect old, unpatched versions of software. The persistence of such tools means that old exploits are still able to infect many users. No matter how inconvenient it may be, regularly patching your software is still an important mitigation step.

    The state of the threat landscape and the overwhelming reliance of the general public on the Internet demand that users should stay aware of the kinds of threats found online as well as of ways to protect themselves by following advice. Knowing how attacks such as these work, users can gain advantage over attackers and be able to stop threats before these even reach their systems. A little self-education can ultimately make the Internet a better and safer place to be in.

    More information on how cybercriminals utilize spam in malicious schemes can be found in our recently released security focus report, “Spam in Today’s Business World.”

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice