cancel
Showing results for 
Search instead for 
Did you mean: 

What is JS/Exploit-Blacole.i?

McAfee found it in a Java cache folder on my computer. It quarantined it.

Should I have anything to worry about, or am I good?

It only found it in two locations.

Both locations were in C:\Users\***\AppData\LocalLow\Sun\Java\Deployment\Cache\6.0\45 and C:\Users\***\AppData\LocalLow\Sun\Java\Deployment\Cache\6.0\34. and were quarantined

Secondary McAfee full scan's found nothing.

I can't find much information on this specific form "JS/Exploit-Blacole.i". I am Running Malwarebytes as well for a second opinion.

0 Kudos
9 Replies
Hayton
Level 18

Re: What is JS/Exploit-Blacole.i?

This is a new variant of an existing exploit. The McAfee database entry for it is not very informative - see http://vil.nai.com/vil/content/v_910916.htm.  It's a Java exploit, so you should immediately check for and download any updates to Java. Npt only Java : checkthat you have the latest versions for your browser, for Flash, and for Adobe Reader.

There is a much more detailed description of this exploit HERE (for "JS/Exploit-Blacole.q") and HERE (for "Exploit-Blacole") with instructions on how to repair your Master Boot Record, which is very probably still infected. The database contains entries for a number of other variants (see this list).

Whichever variant you have found, it enables an attacker to take control of your machine and download other programs for certainly nefarious purposes. You must assume that your passwords (for email, banking, or anything else) have been stolen, that any credit card details you have given in online transactions have been copied, that your bank account details (if you do online banking) have been stolen. You may have been used to send spam, your machine may be under the control of a botnet herder, you could still have malware running on your machine.

So : follow the instructions in the links above to disable System Restore, fix your MBR, and run a Full Scan (you've already done that, so you may be okay; I would do it again to be sure). You might want to run a couple of other scans afterwards by other AV vendors to make sure your machine is clean - I would recommend Microsoft and Malwarebytes, (which you've got) since they are likely to cover different classes of threat. And check all your software - everything that you use - to make sure it's running with the latest version. Malware authors write programs that look specifically for out-of-date programs, since they know which reported security flaws to take advantage of. Unpatched programs --> gaping security holes which McAfee can't always guarantee to plug, especially if they involve Java.

For an introduction to the Blackhole Exploit Kit, see the following articles -

http://www.webopedia.com/TERM/B/blackhole_exploit_kit.html

http://community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx

http://krebsonsecurity.com/2012/02/crimevertising-selling-into-the-malware-channel/

Message was edited by: Hayton on 19/03/12 01:25:31 GMT

Re: What is JS/Exploit-Blacole.i?

Are you sure it is this bad?

Further rescans from both McAfee and Malwarebytes says that it has been quarantined?

I fully uninstalled Java and deleted all the cache and i have the latest Adobe's

UPDATE: The links you showed me said it is low risk.

Message was edited by: leftisthominid on 3/18/12 8:40:31 PM CDT
0 Kudos
Hayton
Level 18

Re: What is JS/Exploit-Blacole.i?

The 'Low Risk' assessment is not, in this case, backed up by any information on what the exploit is actually doing once it is activated. Until I see that information I personally would regard that assessment as liable to change.

There is a page HERE which explains the criteria for determining the level of risk from any given exploit.

I gave my advice based on the assumption that this is the same exploit as the one known to Microsoft as 'Exploit:JS/Blacole.I', for which the Alert Level is given as Severe. There are no technical details available from Microsoft for this exploit either.

Any malware infection which comes from use of the Blackhole Exploit Kit must be assumed to be for the purpose of stealing passwords, financial information, and other personal data. Keyloggers are commonly downloaded for the purpose of collecting that information. The Master Boot Record is commonly altered to allow the malware to reinstall after you reboot, so that your PC is effectively under the control of someone else.

McAfee may already, if you are lucky, have found and quarantined the only active files that this malware downloaded. But - until more information becomes available about what this variant does - you can't assume that just deleting the files is the end of it. At the very least, update all your programs and change your passwords. I see you've removed Java : that's good, since most of these exploits are achieved by targeting unpatched Java installations.

Re: What is JS/Exploit-Blacole.i?

Someone at Techsupportforum.com, I've been getting a second opinion.

I've posted some of my computer logs there, since they told me it would not be wise to screw with an MBR until I know that it is screwed up.

http://www.techsupportforum.com/forums/f112/what-is-js-exploit-blacole-i-636313.html

http://www.techsupportforum.com/forums/f50/infected-by-js-exploit-blacole-i-what-do-636340.html#post...

0 Kudos

Re: What is JS/Exploit-Blacole.i?

Any further advice from Hayton or anyone else? My MBR appears to be clean. ESET, Malwarebytes, and McAfee all cannot find anything on my computer.

0 Kudos
exbrit
Level 21

Re: What is JS/Exploit-Blacole.i?

I would say you are ok now.

0 Kudos

Re: What is JS/Exploit-Blacole.i?

Thanks. for the response.

I cleaned out my old system restores as well just in case and I do daily virus scans.

Also, it should be noted that Hayton's posts were a bit too rash. Before asking me to mess with my MBR, they should have had me actually check ifmy MBR was busted (which it was not)

Message was edited by: leftisthominid on 3/21/12 6:07:32 PM CDT
0 Kudos
exbrit
Level 21

Re: What is JS/Exploit-Blacole.i?

I'm sure he'll read this.  Anyway, good luck.

0 Kudos

Re: What is JS/Exploit-Blacole.i?

0 Kudos