You are compromised if you are not having java version greater than 1.6.0_23

Do you think you will get infected only when visiting porn sites / cracks / malicious sites. LOL you get infected even when you visit yahoo.com, msn.com, 4shared.com

Currently blackhole exploit kit is heavily being used to distribute zbot via drives-by download. And blocking the domains is use less as they last only for some time (fastflux domains). And the distribution mechanism is mainly Malvertaising.
It goes this way

You visit 4shared.com —> Advertiser epom.com loads ad which goes to —> hfen.in?4shared (Malvertaiser) that loads iframe —> exploit page ( main.php?02332424247686686866887686)

You don’t have java version < 23, boom you are gone. Check you version

Actually speaking it is targeting CVE2010-0840 via worms.jar file. Surprising you cannot have you AV block worms.jar, we literally had dance with our AV provider for getting signature, every time we submit they give signature and next day another worms.jar that is not detected. And I cannot blame them exactly as I see they obfuscate java code with garbage string to avoid detection.

We have implemented controls to block cz.cc, cx.cc domains (most of initial checkin sites we see) and block urls ending with “worms.jar” in Proxy and investigate for every download of .class file. Make sure all the devices in your organization have java minor version >23.

Advertisements

About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Articles, security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s