Blackhole: the 1-day exploit kit

Java is increasingly used by the bad guys. “This is the most effective way for exploiting end-user systems and is sometimes effective across a variety of platforms,” writes ESET. This particular incident also highlights the 1-day exploit.

0-day exploits are well known. But researching and developing 0-days is expensive and time-consuming; and more suited to nation-state development teams than mass-market cybercrime gangs. Instead, the cybercriminals have evolved the 1-day approach. This involves analyzing the latest patches to locate the vulnerabilities that are being closed – effectively using the good guys to locate the weaknesses for the bad guys.

Since few organizations are able to patch their systems instantly, and individuals are notoriously bad at patching their computers at all, a rapidly developed exploit based on the latest patch information from Microsoft or Oracle or Adobe is likely to have a reasonable window in which it will be effective. ESET has demonstrated how quickly the Blackhole gang can react to the 1-day opportunity.

“There’s intense interest in vulnerability research, with legitimate research seized upon by malware authors for malicious purposes,” David Harley, a senior research fellow (and co-author of this research) told Infosecurity. “The increase in volumes of 1-day exploits suggests that even if 0-days research prices itself out of the mass market for exploits, inadequate update/patch take-up among users is leaving plenty of room for exploits of already-patched vulnerabilities (as with the current spate of Tibet attacks).”

There is only one guaranteed defense against the 1-day attack: the user must patch before the criminal exploits. 

What’s Hot on Infosecurity Magazine?