You are compromised if you are not having java version greater than 1.6.0_23

Do you think you will get infected only when visiting porn sites / cracks / malicious sites. LOL you get infected even when you visit,,

Currently blackhole exploit kit is heavily being used to distribute zbot via drives-by download. And blocking the domains is use less as they last only for some time (fastflux domains). And the distribution mechanism is mainly Malvertaising.
It goes this way

You visit —> Advertiser loads ad which goes to —> (Malvertaiser) that loads iframe —> exploit page ( main.php?02332424247686686866887686)

You don’t have java version < 23, boom you are gone. Check you version

Actually speaking it is targeting CVE2010-0840 via worms.jar file. Surprising you cannot have you AV block worms.jar, we literally had dance with our AV provider for getting signature, every time we submit they give signature and next day another worms.jar that is not detected. And I cannot blame them exactly as I see they obfuscate java code with garbage string to avoid detection.

We have implemented controls to block, domains (most of initial checkin sites we see) and block urls ending with “worms.jar” in Proxy and investigate for every download of .class file. Make sure all the devices in your organization have java minor version >23.


About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Articles, security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s