Researchers at security provider Symantec have concluded analysis on the most recent version of the Blackhole Exploit Kit, the most popular exploit pack in the underground market, revealing some sophisticated new features.
The latest incarnation has adapted to take advantage of an unpatched vulnerability in Microsoft XML Core Services (CVE-2012-1889) which Microsoft had discussed in a security bulletin released on June 12th.
"The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website," Microsoft stated.
The infection ploy is known as a drive-by attack, a commonly used method for spreading malware.
"Web attacks and drive-by downloads continue to be one of the primary ways that enterprise and consumer computers are compromised today," Symantec's Nick Johnston writes.
Blackhole injects malicious code into compromised websites, allowing attackers to utilize a variety of exploits that target vulnerabilities in widely used applications like Java and Flash, and infects victims with a drive-by attack when they visit the compromised website.
The problem malware authors face is that if the URL for the injected iframe is changed or removed, it necessitates a manual upgrade to the compromised sites to point to the new URL.
The researchers analyzed the generated domains, and determined a method for predicting future pseudo-random domains that could be generated by the script.
"Running this code in isolation, it seems that the pseudo-random domain is based on a number which is in turn based on an initial seed value, the current month and the day of the current month. By changing the date passed to the function we can determine domains that will be used in future. All domains up to 7 August of this year have been registered and all currently resolve to the same IP address. The domains, all recently registered, use private registration, such as details of the registrant not published in WHOIS," Johnston continued.
Based on the analysis, the researchers believe the malware authors may still be in a testing period for the new feature, previously utilized by botnets, but until now had not been seen being used in exploit kits.
"So far we have seen a small but steady stream of compromised domains using this technique. This suggests that this is perhaps some kind of trial or test that could be expanded in future. Botnet software has used similar techniques in the past (Storm, most famously), but use of this technique in Web exploit kits is an emerging technique," Johnston said.