Blackhole is like most other malware and exploit packs, it spreads over iframe and it executes a downloaded payload. ESET Threat blog in this post, but now there is a brand new used vulnerability : CVE-2012-0507. CVE-2012-0507 is an interesting vulnerability found in the Java AtomicReferenceArray class implementation, which wasn’t checking properly whether the array was of an appropriate Object[] type. A malicious Java applet could use this flaw to bypass Java sandbox restrictions in order to execute malicious code outside of sandbox.
The blackhole infection starts with a classic iFrame like in this picture below:
 | This image has been resized. Click this bar to view the full image. The original image is sized 500x173px. |
The infection goes on following these steps:
Java malware are becoming day by day more and more popular, the reason is Java bugs are pretty common nowadays and and because java is “platform independent” meaning that the attacker needs to write only one exploit for all systems including Linux, Mac and Windows. Not one exploit for each attacked platform like and executables.
