Sophos Cloud Optix
One of the most common questions we receive at SophosLabs is “How are users most likely to get infected with malware?”.
As regulars readers will be aware, the answer is through the web. More specifically, computers are most likely to be infected through compromised legitimate websites redirecting user traffic to malicious websites that are hosting some exploit kit.
The most active of these exploit kits in recent times is one known as Blackhole.
Properly understanding how the Blackhole exploit kit works and why it has become the most popular of the various exploit kits available is important in order to provide the best protection to our customers.
Previous research focused on early versions of the Blackhole exploit kit, and the tricks used by the attackers in evading detection.
More recently, SophosLabs expert Gabor Szappanos has been delving deeper into the internal workings of the Blackhole exploit kit, to get a more thorough understanding of how it works.
Gabor’s technical paper, entitled “Inside a Black hole”, is now available, and I would encourage all readers to download it and learn more about the Blackhole exploit kit.
Read now: “Inside a Black Hole”
Plug hole image from Shutterstock.
At the risk of being tacky I would point out that one of the best ways to avoid infection is to avoid downloading anything you don't have to.
Unless this article has a word count like a Steven King novel it should have been posted to a page where it could be read and not require a download.
Of course I trust this website; that's not the issue. I would point out also that after I had logged into WordPress.com to be able to comment, an outfit named IntenseDebate (your comment software) wanted my WordPress.com name and password.
I proved my trust of this site by giving it to them, but that was a no-no as well. I don't know who the heck IntenseDebate is, and as such didn't appreciate having to give them personal info from another site account just to comment here.
Your site's strive for security should not make me compromise my personal standards for my own, jus' sayin'…
Intense Debate is part of the WordPress.com empire, owned by the same company.
Your ignorance is showing.
The Blackhole exploit kit works by infecting machines that visit a compromised webpage and throwing a bunch of exploits at the browser. No user interaction required. Most are infected when a trusted site is compromised and an iframe to a second server is placed in the HTML.
And if you don't want to give over your username/password for WordPress, why didn't you use the Guest posting function?
Your web server is obviously not configured to correctly describe the attributes of the PDF file to the browser, otherwise it would have opened in the browser instead of being downloaded as a file.
awesome paper! I am amazed at the level of analysis used to track down clues
Respectfully @ rogparish
How many people know what you are talking about let alone know how to configure anything on their computer?
awesome paper! I am amazed at the level of analysis used to track down clues
The link to http://www.sophos.com/en-us/why-sophos/our-people… appears to be broken. I get a general page. I came here after "Sophos Endpoint Security and Control" blocked a site.
Thanks for letting us know – the link has been restored.