You Are Here: Home » E-Threats » Alerts » Opera Users Exposed to BlackHole through Browser Homepage

Opera Users Exposed to BlackHole through Browser Homepage

For at least the last few hours, Opera users have been exposed to e-threats coming from the notorious BlackHole exploit pack.

Earlier today, the Bitdefender automated scan systems alerted us to the fact that a malicious obfuscated script loaded by hxxp://portal.opera.com address redirects users towards a malicious page hosting the notorious BlackHole exploit. Apparently, the script has been loaded through third-party advertisement, a practice commonly known as malvertising. You probably remember the recent incident with Yahoo Messenger hijacking the browser start page to a Vietnamese Portal.

The hidden and obfuscated piece of code in the Opera Portal homepage inserts an IFrame that loads malicious content from an external source. If the Opera user hasn’t changed the default homepage, active malicious content is loaded from a third-party website (g[removed]750.com/in.cgi) whenever they open their browser.

Fig. 1. Bitdefender detects malware the moment Opera Portal homepage is loaded

This malicious page harbors the BlackHole exploit kit (we got served with the sample via a PDF file rigged with the CVE-2010-0188 exploit) that will infect the unlucky user with a freshly-compiled variant of ZBot, detected by Bitdefender as Trojan.Zbot.HXT. The ZBot malware is on a server in Russia which, most probably, has also fallen victim to a hacking attack, allowing unauthorized access via FTP.

Bitdefender detects the obfuscated script as Trojan.Script.478548; the offending page loaded by the Opera Portal was also blocked since the emergence of the attack via the cloud URL blocker.

If you have any doubts about whether you have fallen victim to this stunt, you should run a 60-second QuickScan available on the Bitdefender Quickscan website.

This article is based on the technical information provided courtesy of Cristina Vatamanu and Răzvan Benchea, Bitdefender Virus Analysts.

About The Author

E-Threat Analyst

A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

Number of Entries : 298

Comments (12)

  • rod

    “If the Opera user hasn’t changed their default homepage, active malicious content is loaded from a third-party website (g[removed]750.com/in.cgi) whenever they open their browser.”

    This is false.

    Opera starts where you left off when you restart it. It does not open portal.opera.com (unless you already had that page open).

    Unless they explicitly open that site, they will never see it.

    Reply
    • Loredana Botezatu

      Hey there,

      It may be false for you, but might be true for others. In opera versions prior to 12, users had a choice of how the browser should start up. One of the options was Start with homepage. So, what you’re saying is true, but it does not apply to everybody.

      if you’re concerned about your privacy, you’re never going to start your session with the previous tabs on,so you’d probably go for the browser homepage.

      Reply
      • rod

        Some ancient version of Opera did show you options here, but that’s back in 2005 or earlier I think.

        Why would you not start where you left off? It’s what makes sense. You leave browsing, but you will probably want to pick up at the same point later.

        Reply
  • mrbob

    I always set opera and any other browser to ( about:blank ). this then starts with a blank page. so I am always in control.

    Reply
  • klarloo

    Anything new about it ?
    It sounds like it was a false positive wasn’t it ?

    Reply
    • Bogdan Botezatu

      Hey Klarloo.

      No, it wasn’t a false positive, it was a redirect to Blackhole. It happened to other legit sites as well, it’s not related to the Opera Portal only. We issued the advisory when we detected the Opera redirect in order to make Opera users aware of a potential threat.

      Reply
  • RSmith

    Ironically, you’ll need to use a different browser to run the recommended ‘Bitdefender Quickscan’, because accessing it from within Opera results in this message “QuickScan is not compatible with Opera browser.”

    Reply

Leave a Comment

© 2012 Powered By Bitdefender

x
Loading...
Scroll to top