Continued analysis of the LightsOut Exploit Kit

At the end of March, we disclosed the coverage of an Exploit Kit we called “Hello”: http://vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html, or “LightsOut”, we thought we’d do a follow up post to tear this exploit kit apart a bit more.  This variant of the LightsOut exploit kit uses a number of Java vulnerabilities, and targets multiple browsers.  The primary goal is to drop & execute a downloader executable, which in turn downloads and executes more malware samples.  These secondary malware samples are run in a sequence, and do some information harvesting, and potentially exfiltrate the information harvested.  Overall, not fun for visitors to sites compromised with the LightsOut exploit kit.

Because of the number of Java vulnerabilities leveraged by this kit; it's important to keep Java updated, and make certain that outdated versions of Java aren't still sticking around on your PC.  You can download a utility from Oracle to remove outdated versions of Java, referenced by this article: https://www.java.com/en/download/faq/uninstaller_toolinfo.xml.  A detailed analysis on how the kit operates is below, under Browser Trajectory Analysis.

more here.......http://vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Vrt+%28Sourcefire+VRT+-+Vulnerability+Research%2C+Razorback+and+Explosions%29