It was an unusual problem Adam Evans, the senior manager of ScotiaBank’s security operations centre, had to solve last year – his users kept getting sucked into a Black Hole, and when they were spit back out, they were infected with malware.
The Black Hole exploit kit was named by Evans as one of ScotiaBank’s biggest security headaches for 2011. The insidious exploit technique works by setting up a series of malicious domains. Hackers set traps to bait users to click on the infected links. Once they do, they are sucked into a series of domains that assess the software stack on their machine, determine what vulnerabilities will be effective, and finally drop the right exploits onto the user’s PC. Just like that, hackers gain a foothold in the organization.
Not to mention that the exploits are encrypted with custom algorithms that obscure them from anti-virus software. Just like a real black hole, you can’t see it by looking directly at it – you have to observe the impact in the affected area to know it’s there.
“It’s not just ScotiaBank,” Evans says, in an interview at IBM Corp.’s Pulse conference in Las Vegas. “Organizations en masse struggle with vulnerability patching. When you have hundreds of thousands of endpoints in your organizations, all these guys are looking for is one vulnerability, it can be a 10-year-old vulnerability, or it can be a 0-day, it doesn’t matter.”
While computer security gurus have been lamenting the growing complexity of malware designed to infect their systems and create opportunity for hackers to steal valuable information, 2011’s main problems hinged around rather unsophisticated malware, says Robert Freeman, manager of X-Force Research, IBM’s security division. Researchers were seeing hackers implement off-the-shelf trojans, some of which had been around for years, hoping to find an unpatched vulnerability.
Even if those older trojans are picked up by anti-virus scanners, it is low risk to the hackers.
“It’s likely to be detected as something that’s insignificant,” Freeman says. “So the whole operation isn’t blown.”
Exploit kits such as Black Hole often use a combination of 50 known exploits or more to try and find a crack in an organization’s armor. Even though most, if not all, of those exploits have been patched by software vendors, it can be a challenge for an organization to make sure that gets rolled out across its entire network.
“Organizations find it very difficult to achieve patch compliance,” Evans says, who keeps tabs on 75,000 employees at ScotiaBank. “User education and awareness is a huge part of that program, but not always effective.”
To plug the Black Hole and stop its users from getting sucked into the malware void, ScotiaBank worked with other banks in a security work group to identify some patterns common in the URLs used to infect machines. They found there were certain strings commonly used, even if the domains were random.
From there, ScotiaBank worked with its anti-virus vendor to determine what content filtering policies would stop the exploits. Taking snippets of the common URLs to block, it updated its user-based policy sets across the organization.
“Once we got that into place, it helped stop going to those URLs they were being directed to and having the malware dropped,” Evans says.