Cyber-Criminals Craft Malware Kits to Zero In on Java Flaws

The Blackhole exploit kit, a framework that helps attackers infect victims' computers, adds another way to compromise systems through weaknesses in Java.

By: Robert Lemos

The underground developers behind the Blackhole exploit kit updated the framework the week of July 9 with a module that can easily compromise computer systems using a month-old flaw in Java.

Because most PC users and companies can take months to update third-party software, the exploit will like remain effective for some time to come, security software firm Websense stated in a blog post published on July 16.

It's the latest demonstration of online attackers' fondness for exploiting security holes in Java. Exploit kits, such as Blackhole, are used by cyber-criminals to automate the creation of programs to infect victims' computer systems, and targeting flaws in Java has become a reliable method of infection. Since 2010, exploit kits have added almost a dozen Java vulnerabilities to their list of flaws targeted for exploitation, according to security software firm Websense.

"It has become the No. 1 vector of attack for exploit kits," said Chris Astacio, manager of security research for Websense. "Most of the time Java just sits on a computer-people don't remember using it, or when or where they used it, or even for what, so half the time, it doesn't even update."

Several characteristics of the Java software platform have made it a favorite of attackers. Java is popular and runs on a large number of operating systems, giving attackers a potentially large base of victims. Moreover, the software update mechanism is not automatic by default and frequently leaves older-and vulnerable-versions on many systems.

Updates can be so confusing that exploits for known Java vulnerabilities have regularly had a greater than 70 percent chance of success, according to Jason Jones, lead of the advanced security intelligence team at Hewlett-Packard's DVLabs.

"That's a crazy success rate," he said. "Especially since other exploits have had a [less than 15 percent] success rate."

Many security experts, including Websense, recommend that users disable the Java browser plug-in to protect against Internet attacks that use the plug-in to compromise vulnerable systems.

The latest exploit built into the Blackhole kit may be based on a description written by security researcher Michael Schierl, who coded his own proof-of-concept in about an hour, according to a description of the effort. The program ended up being quite compact, about 50 lines of code.

"The resulting exploit is quite short ... and I am sure you can make it shorter if you really try," he stated. "However, I don't want to make it too easy for criminals to leverage this vulnerability just by copying and pasting; therefore I won't publish my exploit code in the near future."

Oracle patched the vulnerability in mid-June.

The latest Java exploit will likely get picked up by other toolkits, such as Phoenix, quite quickly, said Websense's Astacio. The authors of the frameworks tend to borrow each other's latest techniques, he said. More than five years ago, most attacks focused on vulnerabilities in Microsoft Office and then moved to Adobe's Acrobat program. Only in the last few years have the attackers really focused on Java.

"Java was not heavily used for exploit kits two or three years ago, but they tend to trickle into one kit and then they spread to others," he said.