Blog|Login|中文Deutsche日本語
December 12, 2011
 Deconstructing the Black Hole Exploit Kit
Pin It

This month, the science journal Nature published a story on the biggest black hole ever discovered by UC Berkeley researchers.  

What is the biggest black hole in cyber space? Imperva's malware dissection team took a careful look at the Black Hole Exploit kit anatomy.  In addition to Tomer, Sarit has now joined the team to add a feminine touch to the dissection process.

What’s New?
The new black hole exploit kit has been out and we’ve had a chance to deconstruct it.  Before we get super geeky, some general observations about the innovation in this kit:

  • Malware developers continue to use the latest tools to encrypt their malware to evade anti-virus (AV) software.  As usual, the encryption signature is new, avoiding AV—our analysis showed that 70 percent of AV software would miss this altogether.  This serves as a not-so-gentle reminder the fundamental problem with signature based AV—it changes every week with the use of a new encryption algorithm.  
  • Hackers are deploying resiliency.  In the past, we’ve seen hackers deploy a single exploit server.  In this case, there were four that could be redirected if any of the URLs was taken down.

 

What are BEPs?
An exploit kit, a browser exploit pack (BEP) is a toolkit that automates the exploitation of client side vulnerabilities. 

The toolkit is a bundle of PHP and HTML files with a list of exploit files (including JAVA, PDF, Browsers, Adobe Flash Player …etc) designed to target the operating system, browser or other client side application.  Toolkits are usually heavily obfuscated using some known or unknown obfuscation and crypto algorithms tools to avoid detection by anti-virus vendors.  

Black hole is yet another web exploit kit developed by Russian hackers. Blackhole is a very powerful kit with a number of recent exploits including Java and Adobe PDF exploits. One blog published (with updates) a great overview of the most known exploit packs. 

According the Hacker News, the black market cost of the pack:

Users can purchase the annual license for $1500, semi-annual license for $1000, or just a quarterly license for $700. The license includes free software updates for the duration of the contract. For those malicious users with a commitment phobia the makers of the kit offer yet another solution. You can rent the kit (on the author’s servers) for $50 for 24 hours, $200 for 1 week, $300 for 2 weeks, $400 for 3 week, and $500 for 4 weeks. A domain name comes included with the rental agreement, but should you desire to change it you need to pay another $35. But Now its FREE HERE!

NOTE:  For any pictures, click on them to BIGGIFY.

Summary:  The Infection Flow

Here’s a breakdown of the infection flow:

BEP1

The Infection Process

A live exploit pack only requires a victim “drive-by” – a trivial site visit – to start the infection process.

The click
The most common method used by BlackHole to spread is via links inside phishing emails.  We were no exception:

BEP2
 

Once clicked, we get the infamous “WAIT PLEASE LOADING……” page.

We can immediately see the 4 JS.JS java scripts sources.  Each JS.JS contains a redirection to a black hole exploit kit server.

BEP3

The redirection
We can see that the redirection is achieved by the JS document.location property:

BEP4
The infection
Then, the exploit kit will check for vulnerable applications and will select the best exploit.

  BEP5

Deploying the payloads 
The BEP searches for several vulnerabilities to propagate itself.  By deobfuscating the above JS we can notice the following java scripts and functions that reveal the targets.  We can see that the code is going to extract the versions of the following installed applications:

  • Java
  • PDF
  • Flash 

BEP6

Here, the kit checks for the installed OS:

  BEP7

Here, the kit checks for a PDF exploitation (CVE-2008-2992/CVE-2009-0927):

  BEP8


Here, the kit checks for a flash exploitation (CVE-2011-0611):

BEP9

 

Here, the kit gets a shellcode function:

BEP10

 

Here, the kit checks for a HCP exploitation (CVE-2010-1885):

BEP11


The Java JAR Payload 

The exploit kit sends a heavily obfuscated JS code with a Java applet code that downloads a malicious JAR file to the infected system.

  BEP12

BEP13

After uncompressing the jar file, 5 java class files are extracted:

BEP14

I used JD decompiler to decompile the class files. Zoom.class attempts to exploit “CVE 2010-0840”:

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

  •  
    • Once the vulnerability is successfully exploited the payload tries to download and save on the infected system another malicious binary (analysis later). Saves it with a random name <randomName>.exe
    • Silently registers the downloaded binary as calling regsrv32.exe –s <binary.exe>

  BEP15

As noted above, the anti-virus payload detection is low, with 13  of 43 vendors catching it, a 30.2% success rate.

BEP16

Successful Exploitation – The Malware

On every successful exploitation the running shellcode downloads and executes a malicious binary (a download / execute type of shellcode).  We got infected twice.

BEP17


ZeuS v.2

BEP18

Sample MD5: 53507987ca9d772c7377a6066259aa7e

BEP19

Anubis Report: http://goo.gl/LCiCg

Ceeinject / Scar / Kazy

BEP21

Sample MD5: ba7017bb86b8d37a37479d6460e992f0

BEP22

Anubis Report: http://goo.gl/NUylt

 

Be safe.



Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

« Top Cyber Security Trends for 2012: #2 | Main | Top Cyber Security Trends for 2012: #1 »

Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Authors
Monthly Archives
Email Subscription
Sign up here to receive our blog: