Follow:

 

JS/BlacoleRef


Microsoft security software detects and removes this threat.

You should also update your software to be fully protected.

BlacoleRef is a type of malware which tries to infect your PC with other malware, such as trojans and viruses.

It belongs to the Blacole family of malware, which together are known as the Blacole (or "Blackhole") exploit kit. 

See our page about exploits and learn how to update common software.

When you visit a malicious or compromised website, BlacoleRef scans your PC for vulnerabilities or weaknesses in your software.

You might visit the website from a link or attachment in an email, or from a previously safe website that has been hacked.

The threat uses those vulnerabilities it has found on your PC to download malware onto your PC:

Typically, the Blacole exploit kit attempts to exploit vulnerabilities in applications such as Oracle Java, Sun Java, Adobe Acrobat and Adobe Reader.



What to do now

The following Microsoft software detects and removes this threat: 

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can read more about this vulnerability and download software updates from these links:

You should remove older versions of Java, as keeping old and unsupported versions of Java on your PC is a serious security risk:

If you continue to get alerted about this threat, deleting your temporary Java files can help:

It's also important to keep your other software up to date; the more up-to-date your software, the better your chances at preventing Blacole from infecting your PC with more malware:

Threat behavior

Installation

Your antivirus software might detect BlacoleRef when you visit a compromised or malicious webpage. A compromised webpage is one in which a hacker has inserted malicious JavaScript code without the webpage owner's knowledge.

When you visit the webpage, the JavaScript code - detected as BlacoleRef - is run.

This webpage might be from a site that was safe, but has been hacked, or it might be a webpage or HTML file included in an email. When you open the file, BlacoleRef runs.

This type of attack is known as social engineering, where the hacker tries to get you to visit a webpage or open an email attachment because you think it is something important.

We have seen BlacoleRef use emails that pretend to be about airline tickets, contracts, invoices, bank statements, social network notifications (such as updates from Facebook or Twitter), tax refunds (often pretending to be from your country's government, such as the IRS in the US and the ATO in Australia), and updates from shipping companies, such as UPS or FedEx.

For example, for the detection Trojan:JS/BlacoleRef.W, have seen it distributed in emails with the subject "Re: Wire Transfer Confirmation":

 

When you open the attachment, you might see a message in your web browser that asks you to "wait" or tells you an error has occurred.

We've also seen this same variant pretend to a UPS tracking notification:

Payload

Exploits vulnerable webpages

The BlacoleRef family is designed to load a hidden IFrame that contacts a malicious page which is stored on a web server. This page determines information about your browser, such as what browser it is (for example, Internet Explorer or Firefox), what version it is, and what plug-ins or extensions you have installed.

The page then redirects the hidden IFrame to another page (or multiple pages) that specifically uses or "exploits" only those vulnerabilities that your browser is susceptible to. These vulnerabilities are then used to download malware onto your PC.

In this way, BlacoleRef forms part of a larger process, all of which is designed to have the greatest success of infecting your PC with malware.

Additional information

This threat's payload might vary, depending on what the server is distributing at any one time.

A common payload is to download additional malware onto your PC, such as trojans and viruses. It could also download malware that then downloads or drops other malware (these are known as trojan downloaders and droppers) or malware that allows remote hackers to gain access and control to your PC (these are known as backdoor trojans).

Further reading

Get gamed and rue the day...

Analysis by Methusela Cebrian Ferrer


Symptoms

Alerts from your security software might be the only symptom.


Prevention


Alert level: Severe
This entry was first published on: Apr 10, 2012
This entry was updated on: Oct 09, 2013

This threat is also detected as:
  • Blackhole (other)
  • Blacole (other)
  • Black hole (other)
  • Blachole (other)