BlackHole Exploit Pack analysis

    July sees updates for well-known BlackHole Exploit Kit (Microsoft Malware Protection Center, KrebsOnSecurity). A new sample of ExploitPack discovered "in the wild" has been detected and studied for significant changes compared to its predecessors. A fully deployed and working ExploitPack has been detected on a server in Moldova. Users successfully opened the infected page in their browsers.  According to the Virus Total Results, the exploit was detected by 3 URL scanners on 2012/08/08:

 

The infected page's appearance did not change compared to that in March (http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp).

 

The same message appears on the web page:

ExploitPack inside

 

Consider the code of the malicious page paying attention to downloading Java applet that is a Java Exploit containing obfuscated Java Script code:


Java Exploit (CVE-2012-1723)

 

The "Dop.jar" Java applet (md5: dda6427396b394c58a4288e8c9d3f9a9) uses the "ie_ja.ie_jd" class as its main class. Encrypted URL is a value for the "h" input parameter that is passed to the applet. Let's consider the detection of the malicious applet over a 24 hours period using the Virus Total service:




The applet is a modified Java Exploit which uses a considerably new Java vulnerability in HotSpot VM (CVE-2012-1723). For more information about the vulnerability, visit MS Threat Research & Response Blog.

 

Using the Exploit, the malware decrypts a link the applet receives as a parameter, then downloads a file and runs it for execution:

 

http://178.***.***.67/w.php?f=97d19&e=2

 

The file is downloaded to the computer under the following name:

 

%Documents and Settings%\<user_name>\<random_name>.exe (MD5: da387f5c77fe65852de958b72b2dd494)

 

The malware is detected by Ad-Aware as Trojan.Win32.Generic!BT. Other antivirus scanners give the same result: the sample is a modification of Win32.Tepfer. The Trojan being executed tries downloading one more executable file:

 

 

 

 

Java Script uses simplified obfuscation which is decrypted once a user visits an infected page and runs the script for execution. The Exploit Pack analyzes the decrypted script. In addition, it targets using the vulnerabilities in the Adobe products: Shockwave Flash, Reader and Acrobat. An updated browser plugin detector called PluginDetect comprises most of the script.

 

 

 

 

The script is aimed at the following browsers: Internet Explorer, Firefox, Mozilla, Netscape, Chrome, Safari, Opera, SeaMonkey, and Flock. It helps the malicious script to check which plugins are installed in the browser as well as the plugin versions. It allows the malware to download and execute the exploit file which can take advantage of the vulnerability on the system.

 

Depending on the version of the installed Adobe products, the Trojan downloads Exploits from different sources. The Trojan then runs Exploits on the current page in the" iframe" or as embedded objects:

 

 

 

 

Adobe PDF Exploit (CVE-2010-0188)

The PDF document being downloaded is an exploit file and detected by Ad-Aware as Exploit.PDF.Pdfjsc.rf(v). To execute itself the Exploit uses vulnerabilities in Adobe Reader and Acrobat including v. 9.3 (CVE-2010-0188). If the vulnerability is successfully exploited, the malicious code is injected into the memory (heap-spray) and then the code is executed:

 

As a result, a file is downloaded from the following URL:

http://qw***ves.com/w.php?f=97d19&e=3

The file is saved with the following name:

%Temp%\wpbt0.dll

  The library is run for execution by the "regsrv32" application.

 

Adobe Shockwave Flash Exploit (CVE-2011-2110)

Adobe Shockwave Flash Exploit can be downloaded if Adobe Flash Player 10.3.181.23 or earlier versions is installed. The Exploit runs if the following conditions are met:

  • It is opened in MS Internet Explorer, Mozilla Firefox;
  • No debugger is available;
  • The system's OS is not 64-bit
  • Flash runtime is not embedded in a PDF file.

 

An encrypted link is sent to the malicious flash file as the "info" parameter value. Once the link is decrypted, the malware uses it to download encrypted binary data. The decrypted code is injected to the address space of the process:

 

Depending on the installed Flash Player version, as well as a method the Flash Player has been run (as a plugin or by the ActiveX object) the Exploit executes the pre-defined instructions.

Different tests are passed to calculate the Return-Oriented Programming (ROP) gadgets for every vulnerable version:

 

Thus, the Exploit uses techniques to avoid Data Prevention Execution (DEP) and Address Space Layout Randomization (ASLR) security mechanisms and launches itself for execution.

Conclusion

The updated BlackHole Exploit Pack is a powerful tool for hacker attacks and remote intrusions. Installing antivirus software which uses heuristic analysis and being vigilant while accessing suspicious web resources help prevent and detect attacks on user's computer.

  • Back to articles


  • Share this post:    Twitter Facebook