Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    In our 2013 security predictions, Trend Micro Chief Technology Officer Raimund Genes predicted that we will be seeing new toolkits this year. In a recent posting of Malware don’t need coffee a new emerging exploit kit dubbed Whitehole Exploit Kit was tackled. The name Whitehole Exploit Kit is just a randomly selected name to differentiate it from BHEK.  While it uses similar code as Blackhole Exploit kit, BHEK in particular uses JavaScript to hide its usage of plugindetect.js, while Whitehole does not. It directly uses it without obfuscating this.

    We analysed the related samples, including the exploit malware cited in certain reports. The malware (detected as JAVA_EXPLOYT.NTW) takes advantage of the following vulnerabilities to download malicious files onto the system:

    Worth noting is CVE-2013-0422, which was involved in the zero-day incident that distributed REVETON variants and was used in toolkits like the Blackhole Exploit Kit and Cool exploit kit. Because of its serious security implication, Oracle immediately addressed this issue and released a software update, which was received with skepticism.

    The downloaded files are detected as BKDR_ZACCESS.NTW and TROJ_RANSOM.NTW respectively. ZACCESS/SIRIFEF variants are known bootkit malware that download other malware and push fake applications. This specific ZACCESS variant connects to certain websites to send and receive information as well as terminates certain processes. It also downloads additional malicious files onto already infected systems.

    On the other hand, ransomware typically locks systems until users pay a sum of money via specific payment modes. Senior threat researcher David Sancho wrote a detailed report on how this threat is evolving at a fast pace in his paper, Police Ransomware Update.

    Whitehole Exploit Kit is purportedly under development and runs in “test-release” mode. However, the people behind this kit are already peddling the kit and even command a fee ranging from USD 200 to USD 1800. Other notable features of this new toolkit include its ability to evade antimalware detections, to prevent Google Safe Browsing from blocking it, and to load a maximum of 20 files at once.

    Given Whitehole’s current state, we may be seeing more noteworthy changes to the exploit kit these coming months. Thus, we are continuously monitoring this threat for any developments.

    Trend Micro protects users from this threat via its Smart Protection Network™ that detects the Java files as well as the downloaded files and blocks all known related URLs. Trend Micro’s Deep Security DPI rule 1004711 – Identified Malicious Java JAR Files also guards systems from the related vulnerabilities exploited in this incident. For ordinary users, Trend Micro Titanium Internet Security provides protection from attacks using the vulnerabilities cited here.

    Users are advised to always update their systems with the latest software update provided by vendors and to avoid opening suspicious-looking emails with links.

    With additional analysis from Threat response engineer Michael Cabel





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • http://twitter.com/Flock_2 Ben Rachinger

      Thanks for the update.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice