October 31, 2012

As the variety of and distribution methods of Malware have grown, automated ‘kits’ have become more common are means for cyber criminals to infect a larger number of computers and network systems. We hope this will inform our customers on the two most common of these threats, the Blackhole Exploit Kit and the ZeroAccess Rootkit.

The BLACKHOLE is a version of an exploit kit. Exploit kits are a means for the perpertartors to install their malicious software on other’s computers. There are hidden security loopholes within the software that allow the intended malware to seep through and infect. The market for these Blackhole kits is growing. The writers and designers of the kits are not the ones doing the distribution. They just create and market the kits just like Microsoft does with their software. Similar to traditional forms of software our customers are familiar with, purchasers of these kits buy licenses for periods of time with them, including access to updates within the exploit kit software, and even upgrades that will allow the user to get around anti-malware software. The owners of the kits then distribute them. Blackhole threats are becoming so common that they have been estimated to account for almost 30% of all detected malware threats.

So how does Blackhole work?  Users must first have their web page directed to an exploit site. This can be achieved by several means.

Legitimate websites can be compromised by malicious code. When a user visits that page, the code will load from the site. Links to these pages are often spread through emails or twitter with enticing messages getting users to visit the sites

Spam, although much touted for its dangers, is still used and successful in its means of spreading links and attachments via email that tricks users into clicking on links. In regards to Blackhole, the links redirect to the Blackhole site

Landing Pages, used to control and direct user traffic in organizations, can also be compromised with the code of Blackhole

The code mentioned is usually of the JavaScript variety, making it easy to obscure aggressive malicious code. The written code is then encoded to hopefully evade detection by anti-virus and anti-malware software.

Beyond being aware of these threats, our users can take certain steps to prevent them. Spam Filters in email can often intercept the malicious threat through detecting the Javascript content. Web Filters can serve to scan page content and block access to sites with the infected JavaScript. Beware that basic web filters that filter based on site reputation will not be sufficient to block Blackhole attempts. Users can also Patch their operating systems to provide extra defense. Since Flash, Adobe and Java are vulnerable, applying automatic updates to protect these applications can be useful.


ZERO ACCESS rootkits are distributed by exploit kits, similar to the Blackhole, but commonly attack ad servers. The malware can be spread very quickly if the ad appears on high volume sites. SEO rankings increase traffic to these sites, therefore putting more users are risk. There is no action needed from the user other than to merely access the site to be infected.  Zero Access often also uses social media as its primary form for infection. They lure users into running an executable file that contains the rootkit code. This could be for a game, or a copyright protection bypassing tool for example. The files are actually trojanized, but the filenames is designed to trick the user into loading and running them.

ZeroAccess attacks computers via a “dropper” that installs the components of the malware on the computer. These droppers are designed to make it past anti-malware, similar to how the Blackhole is able to. However, Zero Access can also have success in being able to bait security programs into changing access permissions on one’s computer, or even terminating the running process completely until the Rootkit is installed. The droppers are so sophisticated that they will even be able to detect whether the OS is a 64-bit or 32-bit and install malware specific to the version installed.

Once installed, Zero Access causes the computer to communicate with other infected Zero Access computers. Further downloads and malicious files are then released. The initial list of ‘peers’ the infected computer communicates with is a list of 256 IP addresses of previous infected computers. The infected computer will attempt to contact each of these, and once a connection is successful with another infected computer, further malicious commands are executed onto both machines.

We encourage our users to increase their protection by installing an anti-rootkit took. These will be able to detect changed in the system and do a cleanup from there. But they need to be closely monitored to ensure the removal is completed in entirety.  Monitoring logs for errors on the network can also be useful, if monitored regularly. For example, an increase in failure reports could indicate Zero Access attempted to disable security products.  Lastly, firewalls that interrupt peer-to-peer communication can be helpful in circumventing communication of botnets like ZeroAccess

These exploit kits threats are real and increasing in the success of infecting users. If you would like further information on how to protect either your personal computer, or business network structure, please contact us to 505-954-4400.

ECS IT Solutions Partners