Into the Blackhole

The latest news in malware has been the recent Kaspersky Labs discovery of the sophisticated attack toolkits named Gauss. Headlines also include reports of the Zegost RAT being served by compromised Nepalese government websites. However, the majority of the malware samples received the last couple of weeks have been related to the Blackhole Exploit Kit.

The Solutionary SERT research team has been tracking this issue for some time and our public reports up to this point have been relatively high-level. If what we’ve observed over the past few weeks is any indicator, Blackhole will not be going away any time soon, and it might help to get more acquainted with what it does and how it is used to infect victim machines with a trojan designed to steal financial information.

As a quick recap, the Blackhole Exploit Kit has been the most popular exploit kit among cybercriminals since 2011. Blackhole is a web application that allows an attacker to take advantage of the most known vulnerabilities in popular applications such as Adobe Reader, Adobe Flash and Java. Its first version, v.1.0.0, was released in 2010. The most recent version, v.1.2.3, was released on March 25, 2012. While there has not been a significant version change, there have been several updates since the release of v.1.2.3 to add additional exploits. What does this all mean? Blackhole leverages vulnerabilities across a wide range of software to exploit victim hosts. Exploitation of these vulnerabilities leads to infection of an equally wide range of malware. These infections have often resulted in the theft of victims' financial information.

Blackhole uses a couple of techniques to direct victims to the exploit site; compromised web pages and spam messages. Often, combinations of the two techniques are also used. The compromised web pages are typically injected with malicious JavaScript. The injected scripts are normally heavily obfuscated, and use a variety of techniques to evade detection. The image below shows an example of the source code of a compromised page.

The payload of the injected script is a simple iframe, as shown here:

The spam email message will either contain a link to the compromised web page or contain an HTML attachment with the same obfuscated code. (See example.)

The iframe in the HTML code directs the victim to the Blackhole Exploit Kit landing page. The landing page will capture the parameter included in the URL, fingerprint the victim machine, and load the files that target the exploits relevant to fingerprint of the victim’s machine.

Blackhole will attempt to exploit the victim based on the fingerprint of the machine and installed software. The landing page will load one or more exploits depending on the potential vulnerabilities that may be present.

The code below illustrates how an applet has been used by Blackhole to exploit a Java vulnerability to load exploit code.

One of the class files within the JAR archive decodes the URL parameter and provides the path of the executable payload. The example shown here returns the following URL:

http://{removed}/w.php?f=182b5e=4

As yet another example of Blackhole’s flexibility, this image shows how a vulnerability in Microsoft Help and Support Center (CVE-2010-1885) has been leveraged to compromise victim hosts.

The script is evaluated to reveal a VBS in order to download additional content:

Where does all of this leave us? In the case shown here, victim machines could wind up being infected with the Cridex banking Trojan. Cridex is just one of the many payloads associated with Blackhole Exploit Kit. Once the malware is dropped onto the victim machine, it executes a copy of itself and injects itself into running processes. From here the malware deletes the initially executed copy and then tries to connect to a command-and-control (CC) server. Once the malware finds and successfully connects to a live CC server, it downloads a customized configuration file that is then saved as a registry entry. Cridex then just sits back and steals login credentials. The trojan and its variants also inject malicious HTML code into the websites listed in their configuration files.

A couple of good tips to help avoid falling into the Blackhole:

• Be suspicious of emails. Enough said on that.
• Don’t click on hyperlinks in emails. It is better to visit the official website by manually typing the address in the browser or calling the company directly.

Remember: The best defense is to never open the email in the first place. While never opening a phishing email is the best way to avoid falling victim, even the most experienced email user will accidentally open up a phishing email. If you have already opened it, do not reply or click on the link in the email. The simple act of clicking through to the referenced page can be enough to infect you if you are vulnerable to any of the exploits used by the landing page.