Last week’s Java zero-day vulnerability has been exploited by many exploit kits in the wild, including the familiar Blackhole Exploit Kit.
In this blog entry, we thought we would describe some of the outbreaks related to this attack we’ve seen in the past week or so. Our automated processes that are a part of the Trend Micro™ Smart Protection Network™ started detecting and blocking these attacks as soon as they were spotted in the wild.
A number of methods have been used to direct Internet users to the landing pages hosting these attacks, including:
The usage of multiple ways to direct users to malicious sites definitely increase the chances of users stumbling into them, thus increasing the risk. In terms of the spam runs, we also saw several types of lures used:
- Fake LinkedIn messages
- Fake antivirus notifications
- Faxes purporting to come from eFax
- Fake Western Union money transfers
The spammed messages contained links that would redirect users to compromised websites – which would then redirect to malicious landing pages. Landing pages are meant for two purposes: to scan the systems for any vulnerabilities, and to redirect to a corresponding exploit once a vulnerability is found.
Looking at just one of the attacks using this new Java exploit, we were able to identify more than 300 malicious domains hosting landing pages, which were hosted on more than 100 servers.
Almost half of the domains seen were hosted on the most well-recognized top-level domains: .com, .org and .net.
Another finding is that almost half of the sites were hosted in the United States, with Russia hosting more than a fourth:
Seems like most of the victims were also situated where the sites were hosted, as two-thirds of the victims we found were from the United States, with European countries making up the bulk of the remaining third.
Trend Micro users are already protected from this through the Smart Protection Network. Furthermore, we advice users to consider if Java is necessary on their systems; if it is not, we recommend uninstalling it as it can pose a serious security risk. If it is needed, it must be kept up to date with the latest versions that are downloadable from Oracle.
Trend Micro Deep Security users are also recommended to apply the rule 1005178 – Java Applet Remote Code Execution Vulnerability – 2 to protect from threats seen exploiting this Java vulnerability.