New Whitehole exploit toolkit emerges on the underground market
For now the toolkit only targets Java vulnerabilities, researchers say
IDG News Service - A new exploit kit called Whitehole has emerged on the underground market, providing cybercriminals with one more tool to infect computers with malware over the Web, security researchers from antivirus vendor Trend Micro reported Wednesday.
Exploit kits are malicious Web-based applications designed to install malware on computers by exploiting vulnerabilities in outdated browser plug-ins like Java, Adobe Reader or Flash Player.
Attacks that use such toolkits are called drive-by downloads and they don't require any user interaction, making them one of the most efficient ways to distribute malware. Users generally get redirected to drive-by download attack pages when visiting compromised websites.
Whitehole uses similar code to Blackhole, one of the most popular exploit toolkits used today, but does have some particular differences, the Trend Micro security researchers said in a blog post.
For one, Whitehole only contains exploits for known Java vulnerabilities, namely: CVE-2011-3544, CVE-2012-1723, CVE-2012-4681, CVE-2012-5076 and CVE-2013-0422.
The most recent of these vulnerabilities, CVE-2013-0422, was patched by Oracle in Java 7 Update 11, which was released as an emergency update on Jan. 13 in response to drive-by download attacks that were already exploiting the flaw. The first CVE-2013-0422 exploit was found in Cool Exploit Kit, a high-end version of Blackhole, but the exploit was later added to Blackhole as well.
Other notable Whitehole features include the ability to evade antivirus detection, prevent Google Safe Browsing from detecting and blocking it, and load up to 20 malicious files at once, the Trend Micro researcher said.
Whitehole is still under development and currently operates as a test release. However, its creators are already renting its usage to other criminals for prices between $200 and $1,800, depending on their traffic volume.
According to the Trend Micro researchers, Whitehole is being used to distribute a variant of a rootkit called ZeroAccess (or Sirefef) whose purpose is to install additional malware.
"Given Whiteholes current state, we may be seeing more noteworthy changes to the exploit kit these coming months. Thus, we are continuously monitoring this threat for any developments," the researchers said.
Security experts are regularly advising users to keep their software and browser plug-ins up to date in order to protect their computers from drive-by download attacks. However, in some cases, attackers use exploits for vulnerabilities that haven't been patched -- zero-day exploits. To prevent such attacks, it's better to completely disable browser plug-ins that are not frequently used and to enable click-to-play for plug-in based content in browsers that support the feature like Mozilla Firefox, Google Chrome and Opera.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts