Whitehole Exploit Kit in the wild

Pierluigi Paganini February 09, 2013

Exploit kit, a name which has become depressingly familiar, crimaware kit that contains malicious code to exploit principal vulnerabilities in large consume product such as browsers, last news is that a new kit named Whitehole has emerged on the underground market. Generally the exploit kits are malicious Web-based applications designed to install malware on computers by exploiting known vulnerabilities in outdated browser and browsers plug-ins.

“The downloaded files are detected as BKDR_ZACCESS.NTW and TROJ_RANSOM.NTW respectively.ZACCESS/SIRIEF variants are known bootkit malware that download other malware and push fake applications. This specific ZACCESS variant connects to certain websites to send and receive information as well as terminates certain processes. It also downloads additional malicious files onto already infected systems. On the other hand, ransomware typically locks systems until users pay a sum of money via specific payment modes. Senior threat researcher David Sancho wrote a detailed report on how this threat is evolving at a fast pace in his paper, Police Ransomware Update.”

According to security firm Trend Micro the cybercrime has a new weapon to compromise computers using a malware diffused over the internet. Whitehole is very similar to most popular exploit kit Blackhole, but it has some particular differences, Whitehole only contains exploits for known Java vulnerabilities (CVE-2011-3544, CVE-2012-1723, CVE-2012-4681, CVE-2012-5076 and CVE-2013-0422).

The Whitehole appears as an ongoing project and currently is sold as a test release, however, its creators are already renting it in the underground for prices between US$200 and $1,800, depending on their traffic volume.

“Given Whiteholes current state, we may be seeing more noteworthy changes to the exploit kit these coming months. Thus, we are continuously monitoring this threat for any developments,”

The schema is quite simple, a well-known technique dubbed drive-by downloads is implemented for malware diffusion, users generally get redirected to drive-by download attack pages visiting a compromised website.

Another interesting feature implemented for Whitehole exploit is the antivirus detection evasion technique that is able to prevent Google Safe Browsing from detecting and blocking it and load up to 20 malicious files at once.

The monitoring of underground forums is a fundamental activity for cybercrime prevention, it is necessary to detect in time the growing the cyber threats. Sometimes in the underground are also proposed very dangerous exploit kit containing code for exploit of zero-day vulnerabilities, in these case, there is no other defense that intercepts as soon as possible to malicious code to reverse it.

Anyway, it is strongly suggested to keep always updated the software we regularly use, including browser plug-ins limiting their use to a minimum, completely disable components that are not frequently used.

Create damage infecting millions of machines has never been so easy and cheap!

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Whitehole, hacking)  

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment