Black Hat: Web Exploit Toolkits Prey On Lazy Users
The success of the Blackhole exploit toolkit is due to the failure of most users to stay current on security patches, HP researchers say.
LAS VEGAS. Contrary to the myth of the elite "super hacker," today's malware and phishing attacks are more likely to be the product of a web exploit toolkit -- essentially a packaged application that provides point-and-click malware creation and vulnerability exploitation, no genius required.
Jason Jones, Advanced Security Intelligence Lead at HP's DVLabs, has been researching these toolkits and presented his findings at the Black Hat conference this week. In an interview with eSecurity Planet, Jones explained that the Blackhole toolkit has become increasingly popular in the last year.
According to Jones, Blackhole has been at the root of numerous high-profile breaches over the course of the past year. Blackhole's successful exploitation ratio started to climb in late 2011 from a range of 12 to 14 percent all the way up to 80 percent. The most reliable Blackhole attacks have been Java-related exploits. Java is among the most attacked technologies on the web today for one simple reason: many users simply do not update to the latest version of Java when available.
Users not updating software are in fact the root cause for Blackhole's success on the whole, Jones said. He noted that all the vulnerabilities included in Blackhole today are known and patched in some way. The Blackhole developers simply found proof-of-concept code for known vulnerabilities and then weaponized it.
While Blackhole is a known technology, actually detecting its usage and parsing its code is not a trivial affair. Jones said that the developers have done a good job of obfuscating their code to make it harder to decode and detect. There are multiple techniques that the Blackhole code developers use to obfuscate their internals, including the use of commercial development tools. Jones explained that Blackhole is written mostly in the open source PHP language. The Blackhole developers are making use of commercial PHP encoding tools to conceal the code's origin and purpose.
From a defensive standpoint, Jones said that security devices can detect Blackhole obfuscation efforts in some cases. HP's TippingPoint division sells IPS network security devices as well as the DigitalVaccine program that provides vulnerability data for the IPS. The challenge is that HP would have to know what the obfuscation method is in the first place, before they can actually detect it.
"For an inline solution like the one we have, de-obfuscation on the fly is not a feasible solution," Jones said. "So we have to be actively looking and making sure that we know what obfuscations are out here to make sure that we can detect it."