14 DAY TRIAL // Researchers from cloud security provider Zscaler warn of an increase in the number of drive-by download attacks executed with the help of the Blackholde exploit toolkit.
Blackhole is a Russian Web attack hit similar to the more popular Eleonore or Phoenix kits. It features several different exploits that target Java, Adobe Reader and Windows vulnerabilities.
One of the author's selling points is the heavy obfuscation, which makes the exploits hard to detect for antivirus programs.
"Exploits crypt on special algorithms that make it impossible to code analysis and detection of anti-virus as well as services, Tipo wepawet and other counterparts," a line in the kit's description reads.
Its price is anything but cheap. A one-year license costs $1,500, a half-year one $700, while a three-month use will set a cybercriminal back $700.
These prices suggest that the return on investment for drive-by downloads is pretty high, otherwise paying so much for a single component of the attack would not be justified.
According to Zscaler researchers, a Google search for the URL pattern created by this kit on abused domains returns thousands of results.
A malicious .jar applet used by the Blackhole kit to exploit a 2009 Java vulnerability has a low detection rate on Virus Total at the moment and so does the infected executable it drops.
Other vulnerabilities exploited by this version are the 2010 Windows Help Center flaw and a Windows Media Player one targeted through malformed ASX files.
"We are [...] seeing large number of malicious domains hosting Blackhole exploits kit. [...] Even though the price of this exploit kit is high, it remains a sought after commodity," Zscaler security researcher Umesh Wanve, says.
Drive-by download attacks are one of the primary vectors of malware infection on the Internet. Thousands of legit Web pages are being compromised every day and have malicious code injected into them.
Users can protect themselves by having an up-to-date antivirus program installed, which is capable of monitoring and blocking Web traffic.