Blackhole responsible for a third of drive-by download attacks

  • Tweet this


Malware created using the infamous Blackhole toolkit can be found on nearly third of all malicious web links circulating in the wild according to new research.

A team comprised of researchers at Google, the International Computer Science Institute and several leading US universities have warned that so-called drive-by downloads are becoming the cyber crooks attack of choice.

The team studied more than 77,000 malicious URLs identified using Google's Safe Browsing – a tool Google uses to identify sites carrying malicious payloads.

They then attempted to analyse the code that these sites were spewing out, analysing the malware that was being distributed and the tools used to create it.

Nearly half of all web pages serving exploits were based on two toolkits: Blackhole and Incognito. In fact Blackhole was used to create 29 percent of served exploits.

But while crooks had coalesced on exploit creation kits, the types of malware being distributed varies enormously. The researchers found over 32 families of malware, ranging from droppers, fake anti-virus software, information stealers and browser hijacking.

One good piece of news is that the drive-by websites are typically only operational for an average of 2.5 hours according to the researchers. 

Even so, because the crooks are using the exploit kits to target popular website, they are able to infect thousands of users, even with just a 2.5 hour window of opportunity, the team warned.

While the dangers of drive-by downloads has been widely recognised, the researchers warned that the proliferation of malware toolkits such as Blackhole is fermenting a revolution in cyber crime.

“The means by which a host initially falls under an attacker’s control are now independent of the means by which another attacker abuses the host in order to realise a profit, such as sending spam, information theft, or fake anti-virus,” wrote Kurt Thomas, a researcher at the University of California in Berkeley that was involved in the study, on his blog.

The team's findings are being presented at the ACM Conference on Computer and Communications Security in Raleigh, later this month.

02 Oct 2012

What do you think?
blog comments powered by Disqus
To send to more than one email address, simply separate each address with a comma.