Quantcast

The State of Web Exploit Toolkits 2: BlackHole Kit Scrutinized

Jason Jones now provides an intro to the notorious BlackHole exploit kit, explaining some of its background as well as showing the interface that criminals use.

Facts about BlackHole

Facts about BlackHole

The first kit I’m really going to delve into is BlackHole. It’s been around for a couple of years. It’s definitely become the most popular kit on the market, and I’m basing a lot of that on what I’ve seen on sites like Malwaredomainlist, urlQuery, also all the samples that we collect from other places. We’re actually seeing lots and lots of instances of this kit versus other kits. I believe the last version was 1.2.3, they may have just recently updated it because they added a few exploits; and a lot of the exploits that they’ve been using have been targeting Java vulnerabilities, and I’ll get into that a little bit more.

Also, there was Microsoft XML vulnerability discovered in June; at the time it was 0-day that was actively exploited. Researchers we able to find copies of this page that were in the wild and actively targeting people. People were posting about this and the kit authors also saw this, and they took these pages and they adapted them and got them into their kit. So they were actually able to get it into BlackHole while it was still unpatched. Thankfully, there is now protection out there for it.

They do enough sophistication to keep trying to stay one step ahead.

One of the biggest things that BlackHole does is JavaScript obfuscation. They constantly change and tweak it a little bit just to try to stay one step ahead. We’ve actually done a lot of running URLs that we find through our sandbox, and watching the results, watching the behavior of how it makes URL requests, which exploits you loaded. At the end of the day, it doesn’t do anything super-sophisticated, but they do enough sophistication to keep trying to stay one step ahead.

BlackHole kit in the news

BlackHole kit in the news

These are news stories from 2011 (see left-hand image). BlackHole was in the news a lot. In mid-May of 2011 they made a version free while they still kept the newer versions paid, so it was like ?”Here’s a sample; if you like this come back to us and buy the full version”. They also were able to compromise the United States Postal Service and redirect a lot of visitors there to versions of their kit. And they also did the same thing with MySQL.com. They are also doing lots of spam campaigns these days, trying to install various versions of SpyEye, ZeuS, Carberp using fake Facebook friend request.

Events around BlackHole as of 2011

Events around BlackHole as of 2011

This (see right-hand image) is kind of a timeline of a lot of events that happened in 2011. Some of them I’ve just talked about; earlier in the year there was an ad server network compromised, and that was one of the first big stories we saw about BlackHole. They also did a lot of SEO poisoning. They ended up releasing three different versions of their kit in 2011. There was also the mass WordPress compromise in November, targeting the WordPress plugin called TimThumb. That was a vulnerability where you could actually upload any kind of file and get it executed. There was a patch released for this in August, and a large number of people running WordPress were not updating this plugin, so there was a mass compromise campaign launched by people running BlackHole and they got hundreds of thousands of WordPress blogs compromised and redirecting to BlackHole.

Why spam? It’s easier

Why spam? It’s easier

I saw a paper last month from Trend Micro where they delve into the spam campaigns that BlackHole has been using, and I have been collecting quite a bit of information myself. The reason they’re using spam over trying to compromise a site is because it’s a lot easier. It’s easier to get a list of a million people and send out an email to them trying to get them to click on the link than trying to find a popular enough website that has a vulnerability you can exploit – SQL injection, cross-site scripting – to get your stuff in there to redirect them. The amount of spam that they are generating is significantly rising. A lot of these that I’ve seen have been fake delivery notices for UPS and FedEx, and I saw a lot of them around the holidays, so they’re definitely using contextual stuff like that: fake IRS notices around tax time in April for people from the U.S.; also, fake orders from Amazon or other places. So you go there, you see a link saying “Hey, click here to go see more info”, and it’s going to a BlackHole site and you end up getting owned.

BlackHole control panel

BlackHole control panel

This is a screenshot of the control panel that BlackHole uses (see left-hand image). I actually borrowed it from Xylitol’s blog, he also does a lot of work on exploit kits and he’s really awesome. Here on the upper right you see different exploit percentages, you’ll see visitor browsers and the percent of exploit rates. You see countries visiting, you see operating systems and just some general statistics that they show. What you’ll see with this versus Phoenix and some other kits is they definitely have tried to create a much nicer-looking feel than a lot of other kits in their control panel.

Exploits breakdown

Exploits breakdown

In this kit you’ll actually see (right-hand image) that the top vulnerability was Java/CVE-2011-3544 (Java Rhino), and there was a patch released late last year. This was about a month after it was patched. It has 83% success rate in the wild, which is crazy. Also, another interesting thing is that the most exploited operating system at that time was Windows 7. You look through all the others, and there’s 10% for a PDF vulnerability, then 3% – you know, extremely low. And this actually seemed to start the trend where they added another Java exploit in early 2012, about a month after a patch was released. Then they just did the same thing again.

The sad truth about Java updates

The sad truth about Java updates

So, I was trying to figure out why people aren’t patching it. Why is it being so successful? You know, I love Reddit; I was browsing the /r/funny/ stuff on Reddit – and, basically, the perfect image popped up (see left-hand pic). “What do we say to the Java update? Not today”. So, it’s just people ignoring, saying “Oh, there’s a Java update in the system tray? No, go away!” And so I saw that, I laughed, and then I facepalmed. I was just something that perfectly exemplified the problem that we see in the wild.
 

Read previous: The State of Web Exploit Toolkits – Turnkey Cybercrime Software

Read next: The State of Web Exploit Toolkits 3: How BlackHole Works

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: