Monday, July 9, 2012

CVE-2012-1723: New Java Attack Added to Blackhole

Word began to emerge last week of the addition of a new vulnerability to the Blackhole Exploit Kit. The bug in question - CVE-2012-1723 - is a complex Java issue, which thankfully has patches available from Oracle already. Of course, just because a patch is available doesn't mean it's been applied - most exploit kits thrive off of reliable exploits of bugs that are often two or more years old - so adding a new, current attack to the Blackhole arsenal will only make it that much more dangerous. Since there are now public writeups, including proof-of-concept exploits, this bug is likely to be a pain in defenders' sides even outside the context of Blackhole.

Like so many other attacks we see these days, we've seen a sample that came in via a reasonably well-done LinkedIn phish:


The new exploit was actually the third attack delivered after the initial landing page was hit - malicious Flash and PDF files came first - but it was very clear based on the nature of the code that came down and the name observed in the request ("soo.jar", which lines up with what other researchers have seen) that this was the new Java exploit in the wild.

The good news is that the initial exploits that have been released make use of some very odd strings, particularly around file names encoded inside the JAR file. This means that the VRT has very reliable detection of all variants that we've observed in the wild (use SIDs 23273 - 23277). We'll be monitoring this exploit closely, as well as the Blackhole Exploit Kit itself, to watch for updated obfuscations, and will update detection as necessary.

No comments:

Post a Comment