“This morning we started getting the first indication of a large scale attack,” FireEye noted in its blog. “So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly. After seeing the reliability of this attack, [we] have no doubt in my mind that within hours the casualties will be in the thousands.”
Almost all of the domains are hosting multiple exploits. “If nothing else works, the new Java zero-day kicks in and all of a sudden the machine is compromised,” the blog concluded.
BlackHole, the malware design kit of choice (F-Secure said that 85% of the infected servers using exploit kits are BlackHole-based), has a high success rate anyway: Java exploits in BlackHole servers are 75% to 99% successful according to Seculert. But since adding the new unpatched Java exploit, the success rate for infection has spiked from around 10% to 25%.
“It didn't take more than a day for the BlackHole malware author to add this exploit to the BlackHole arsenal,” said bloggers at Seculert. “The author was in such a hurry, that vendor F-Secure believes that he decided to keep some of the functionality and variable names from the original code.”
Because of the widespread nature of Java use and resulting widespread vulnerability, many experts advise that enterprises disable Java plug-ins from all installed browsers until a vendor patch is available. The zero-day exploit casts a wide net: it successfully runs in all versions of Internet Explorer, Firefox, Opera, Google Chrome and Safari.
Kapersky Labs analyzed the attacks and found that they are coming from China, and are using the Poison Ivy remote-access tool as the perpetration engine.