Sheepykins
Daemon Poster
- Messages
- 556
- Location
- Worcestershire, England
Ah... good evening Gentlemen,
I wanted to share a particularly nasty bit of malware with you, that you may have heard about already, its been out awhile but its taking the IDS and Security industry by storm since 2010.
I'm talking about the Blackhole Exploit kit.
Basically its an exploit kit developed in Russia that at the time, was sold for profit and could be used to vulnerability testing - however it soon went off the market when people realised they could download it and use it for personal gain.
You may still be able to buy this in some countries for around 1500 USD. It wasnt cheap and follows other tools such as the Low Orbit Ion Cannon that was intended for good, but had its good name corrupted lol.
The kit consists of a series of PHP scripts designed to run on a web server. The PHP scripts are all protected with the commercial ionCube encoder
The general characteristics of the Blackhole exploit kit are listed below and as you can see, a lot of this could equally apply to several other kits:
Configuration options for all the usual parameters:
o Querystring parameters
o File paths (for payloads, exploit components)
o Redirect URLs
o Usernames, passwords
o etc.
MySQL backend
Blacklisting/blocking
o Only hit any IP once
o Maintain IP blacklist
o Blacklist by referrer URL
o Import blacklisted ranges
Auto update
Management console provides statistical summary, breaking down successful infections:
o by exploit
o by OS
o by country
o by affiliate/partner (responsible for directing user traffic to the exploit kit)
o by browser
Targets a variety of client vulnerabilities
AV scanning add-ons
Nasty as you can see, the main problem is the auto update function.
The exploit kit infects a compromised web-server and then lays in a redirect for a HTTP GET request for malicious PHP code generated by the kit, which will then try to infect your computer with a trojan script OR depending on the kit setup, will take advantage of JavaScript, PHP and Adobe vulnerabilities on that machine.
With the auto update function, the kit can alter its PHP code according to new threats exposed monthly - needless to say, dear god in heaven.
According to surveys if these can be believed, this sort of kit is now responsible for about 23% of malware infections on machines across the world (but who knows).
the good thing about this is, with a good set of IPS/IDS (intrusion detection) software, be that placed on a box or a network placed sensor, you can easily find out whose going to these machines or if you're compromised.
The PHP code pumped out by the exploit kit is fairly specific:
URI REGEX: [mM][aA][iI][nN]\2e[pP][hH][pP] (main.php)
Request REGEX: page=[a-f 0-9]{16}\2ephp (page= 16 hex characters ending in php)
with this, my company has been able to find users attempting to go to compromised web-servers upon seeing a script make-up like that.
Thats it from me, any web-admins please keep ontop of this and anyone thinking of security concerns on their network should invest in IDS systems depending on its size. They can save you alot of ballache.
Supporting documentation:
Blackhole exploit kit - Wikipedia, the free encyclopedia
http://sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf
Exploring the Blackhole exploit kit | Naked Security
I wanted to share a particularly nasty bit of malware with you, that you may have heard about already, its been out awhile but its taking the IDS and Security industry by storm since 2010.
I'm talking about the Blackhole Exploit kit.
Basically its an exploit kit developed in Russia that at the time, was sold for profit and could be used to vulnerability testing - however it soon went off the market when people realised they could download it and use it for personal gain.
You may still be able to buy this in some countries for around 1500 USD. It wasnt cheap and follows other tools such as the Low Orbit Ion Cannon that was intended for good, but had its good name corrupted lol.
The kit consists of a series of PHP scripts designed to run on a web server. The PHP scripts are all protected with the commercial ionCube encoder
The general characteristics of the Blackhole exploit kit are listed below and as you can see, a lot of this could equally apply to several other kits:
Configuration options for all the usual parameters:
o Querystring parameters
o File paths (for payloads, exploit components)
o Redirect URLs
o Usernames, passwords
o etc.
MySQL backend
Blacklisting/blocking
o Only hit any IP once
o Maintain IP blacklist
o Blacklist by referrer URL
o Import blacklisted ranges
Auto update
Management console provides statistical summary, breaking down successful infections:
o by exploit
o by OS
o by country
o by affiliate/partner (responsible for directing user traffic to the exploit kit)
o by browser
Targets a variety of client vulnerabilities
AV scanning add-ons
Nasty as you can see, the main problem is the auto update function.
The exploit kit infects a compromised web-server and then lays in a redirect for a HTTP GET request for malicious PHP code generated by the kit, which will then try to infect your computer with a trojan script OR depending on the kit setup, will take advantage of JavaScript, PHP and Adobe vulnerabilities on that machine.
With the auto update function, the kit can alter its PHP code according to new threats exposed monthly - needless to say, dear god in heaven.
According to surveys if these can be believed, this sort of kit is now responsible for about 23% of malware infections on machines across the world (but who knows).
the good thing about this is, with a good set of IPS/IDS (intrusion detection) software, be that placed on a box or a network placed sensor, you can easily find out whose going to these machines or if you're compromised.
The PHP code pumped out by the exploit kit is fairly specific:
URI REGEX: [mM][aA][iI][nN]\2e[pP][hH][pP] (main.php)
Request REGEX: page=[a-f 0-9]{16}\2ephp (page= 16 hex characters ending in php)
with this, my company has been able to find users attempting to go to compromised web-servers upon seeing a script make-up like that.
Thats it from me, any web-admins please keep ontop of this and anyone thinking of security concerns on their network should invest in IDS systems depending on its size. They can save you alot of ballache.
Supporting documentation:
Blackhole exploit kit - Wikipedia, the free encyclopedia
http://sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf
Exploring the Blackhole exploit kit | Naked Security