Krebs had been looking at an exploit sent to him. It led him to the Java vulnerability classified as CVE-2012-1723. Researchers do this all the time. Krebs, however, contacted the Blackhole author via instant messaging, and was told that “the new Java attack will be rolled into a software update to be made available on July 8 to all paying and licensed users of Blackhole.”
Krebs went further by submitting the exploit to VirusTotal and discovering that only one AV product, Avira, recognized it as malware. (In reality, this is not as bad as it may seem, since it simply means that the AV signature databases have not yet been updated with this particular signature. It does not mean that the AV products would not detect the virus based on its behavior. Furthermore, the mere act of submitting the malware means that the majority of AV products will now recognize it.)
The question now, however, is has Blackhole been updated, and how dangerous is it likely to prove? Graham Cluley of Sophos told Infosecurity that “Blackhole is responsible for some 25% of all web-borne attacks that are seen by SophosLabs and our focus is on detecting Blackhole before the exploited files run.” He added that “We have seen some samples of the malware mentioned (which we detect as Troj/JavaDl-MU).”
Luis Corrons, technical director at PandaLabs, commented, “Yes, we have seen blackhole activity using this new Java exploit. This is kind of common,” he said, adding, “what it is not common is that Brian could publish it in advance, so kudos to him.”
Corrons is joining the personal exodus from Java. “As I am writing this,” he emailed Infosecurity, “I am uninstalling Java from my computer. Users with Windows 8 don’t have to do it, as far as I remember it doesn’t come with Java in it. Next one to be removed: Flash. Now with HTML5 you can surf almost any web without using any of those.”
Writing in Russian, ESET researcher Aleks Matrosov has explained why this particular exploit is so dangerous. “The fact is,” he writes, “that the Java-exploited vulnerability is quite simple and does not require a bypass DEP / ASLR and other security mechanisms. And in most cases, a small adaptation of the exploit could also cross-platform.”
The consensus from the anti-malware industry is that they watch Blackhole activity very closely, they can now detect this vulnerability from wherever it is delivered, and that if you don’t need Java, uninstall it. In the meantime, we can expect many Blackhole instigated infections because of users who keep Java, don’t update it, and don’t have any anti-malware.