Blackhole exploit kit
24 Feb 2011 05:06 PM
The Blackhole exploit kit is an "off-the-shelf" Web application that facilitates the delivery of malicious payloads. The first instance of the kit -- v.1.0.0 beta -- appeared and was advertised on the black market in August 2010 as a "system for network testing". As with most exploit kits, it is based on PHP and a MySQL backend. The payload usually targets Windows operating systems and Windows applications, but precisely what is targeted depends on the criminal's end goal.
The kit's administrative system includes several so-called "Statistical Widgets". Most widgets provide the same information as pages in other kits, like global statistics, operating systems, top countries, and referrers. An interesting feature of this kit is that a criminal can create a custom widget, basically meaning that the most important and required statistics can be gathered and shown in one widget.
The Blackhole exploit kit uses several protection mechanisms such as:
- Integrated Antivirus based on an API of popular blackhat AVCheck services
- Forms database of blacklists based on referrers and IP addresses, including ranges, to block access to the system
The kit's settings allow criminals to choose a language interface of either Russian or English, which suggests that the kit was developed in Russia. Also, naming files and parameters in Russian may make the payload harder to detect by AVs. Exploits are encrypted with custom algorithms that make the package difficult to analyze by AVs and generic deobfuscation tools and services. The Blackhole exploit kit uses the Java OBE (Open Business Engine) toolkit to spread exploits and successfully load the malicious executable to the victim's machine. Once a victim follows the malicious iFrame, a JAR file is downloaded with an encoded URL parameter, and one of the classes of this JAR file will decode this parameter into a clear text URL. The URL is concatenated with an HTTP GET parameter which is used to download other malicious payload files. The exploit kit is encrypted with the commercial php-cryptor, which makes the whole distribution very regulated and sophisticated. The kit is therefore only "leased" by the criminals and not sold to them like many other exploit kits.
Here is a screen shot of the settings page:
Here is a screen shot of the statistics page:
Below is a running list of targeted vulnerabilities that have been used with the Blackhole exploit kit:
Updated list of targeted Vulnerabilities:
CVE-2012-4681 Oracle Java 7 Update 6, and possibly other versions, allows remote attackers to execute arbitrary code via a crafted applet, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class
CVE-2012-1889 Microsoft XML Core Services accesses uninitialized memory locations, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
CVE-2012-1723 Java Runtime Environment (JRE), allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
CVE-2012-0507 Java Runtime Environment (JRE), allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency.
CVE-2011-3544 Java Runtime Environment (JRE), allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.
CVE-2011-2110 Adobe Flash Player allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
CVE-2011-0611 Adobe Flash Player allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content.
CVE-2010-3552 New Java Plug-in, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
CVE-2010-0188 Adobe Reader, allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.
Old Vulnerabilities (still used):
CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2008-2992 Adobe Reader util.printf
CVE-2007-5659 Adobe Reader CollectEmailInfo
CVE-2006-0003 IE MDAC
A new version of the Blackhole exploit kit (Version 1.2.5) has been advertised in underground forums:
New released, version 1.2.5
exploit added: XML exploit for IE (works for all systems)
list of exploits used:
Java CVE-2012-1723 - Java version 220.127.116.11 and earlier
PDF ALL (includes 3 exploits for a Adobe Reader earlier than 8th version)
Flash (pack consists of two CVEs, used for old versions of Flash, but still triggers a bit)
Flash AVM CVE-2011-2110 (this exploit triggers better than previous pack)
MDAC (no point to discuss, people still use IE6)
HCP (still works, but will be lost in a near future)
IE XML (recently added)
Update - September 13, 2012
A new version of the Blackhole exploit kit (Version 2) has been released: - See more at: http://community.websense.com/blogs/securitylabs/archive/2012/09/13/blackhole-exploit-kit-updates-to-2-0.aspx
Update - July 15, 2013
A new version of the infamous BlackHole Exploit Kit was brought to our attention through a recent series of malicious email campaigns.
Key differences in this version of the exploit kit that caught our eye include:
1. Long HTML Query Structure In Email Lures
The new URL structure is noticeably longer, spanning more than 60 characters. The old URL structure found in previous campaigns usually used a short html query or a specific HTML page. The image below shows an example of what the URL structure looks like in email lures.
2. Obfuscated HTML Content
As you can see, the HTML content of the new URLs shows obfuscation in the initial redirect. Previous campaigns only used a simple location.replace() function and a clear and straightforward PHP redirect page.
3. Exploit Page
Finally, the exploit page of the recent campaign is much smaller than the previous exploit pages. Here, you can clearly see the iframe where the malicious payloads are hosted. In previous campaigns, you would need to de-obfuscate the page to understand what the code was doing.