What Is The Most Popular Way To Infect Your Computer?
Kaspersky Lab has published the results of its research into one of the most popular methods of infecting computers. So who wins out in the malware stakes? Phishing? Dodgy emails? Spam attacks? According to researchers, Java exploits are the tool of choice for cybercriminals, with the Kaspersky Security Network recording two million users targeted between March and August 2013…
Kaspersky Lab has published the results of its research into one of the most popular methods of infecting computers. So who wins out in the malware stakes? Phishing? Dodgy emails? Spam attacks?
According to researchers, Java exploits are the tool of choice for cybercriminals, with the Kaspersky Security Network recording two million users targeted between March and August 2013 in cyber-attacks exploiting vulnerabilities in legitimate software.
During the research, Kaspersky Lab’s experts examined how computers were infected with the help of the BlackHole exploit pack.
The BlackHole pack includes exploits targeting vulnerabilities in Adobe Reader, Adobe Flash Player, Oracle Java and other software. Because the operation of all exploit packs relies on what is essentially the same algorithm, Kaspersky Lab experts picked three Java exploits from BlackHole to illustrate the working principles of exploit packs.
“In the last 12 months alone, over 161 vulnerabilities in Java Environment Runtime were detected. This provides a wide platform from which to exploit vulnerabilities across OS versions, web browsers, installed plugins, and other configurations,” Sam Bryce-Johnson, Kaspersky Lab ANZ’s Technical Manager said.
The BlackHole case study demonstrates how security components can interact with malicious code at various stages targeting specific vulnerabilities, which include:
- Blocking the start page of the exploit pack (i.e. the first page of the exploit pack after the user is redirected from a legitimate site);
- detection using file antivirus (if the user nonetheless reaches the start page of the exploit pack);
- signature-based exploit detection (in case the security solution failed to detect the start page of the exploit pack);
- proactive exploit detection (used if all signature-based security components fail to detect anything malicious while scanning the contents of the exploit pack, and the exploit manages to launch); and
- detection of malicious downloads (if the exploit manages to escape detection, it attempts to download a malicious payload and launch it on the victim computer).
Vyacheslav Zakorzhevsky, Head of the Vulnerability Research Group at Kaspersky Lab, said that the problem of ‘black holes’ remains relevant despite both the availability of studies into the infection mechanism of exploit packs, as well as the comprehensive solutions offered by security vendors.
“End users typically do not rush to install updates, and cybercriminals seize the initiative by creating new malicious programs to attack known vulnerabilities.”
Kaspersky Lab researchers also uncovered a trend which attackers use to prevent the exploit pack’s contents from falling into the hands of experts at anti-malware companies and other researchers. To avoid exposure, cybercriminals may ‘blacklist’ IP addresses used by research companies – such as crawlers, robots, and proxy servers – to block exploits from launching on virtual machines.