Blackhole Exploitation Kit

Sheepykins

Daemon Poster
Messages
556
Location
Worcestershire, England
Ah... good evening Gentlemen,

I wanted to share a particularly nasty bit of malware with you, that you may have heard about already, its been out awhile but its taking the IDS and Security industry by storm since 2010.

I'm talking about the Blackhole Exploit kit.

Basically its an exploit kit developed in Russia that at the time, was sold for profit and could be used to vulnerability testing - however it soon went off the market when people realised they could download it and use it for personal gain.
You may still be able to buy this in some countries for around 1500 USD. It wasnt cheap and follows other tools such as the Low Orbit Ion Cannon that was intended for good, but had its good name corrupted lol.

The kit consists of a series of PHP scripts designed to run on a web server. The PHP scripts are all protected with the commercial ionCube encoder

The general characteristics of the Blackhole exploit kit are listed below and as you can see, a lot of this could equally apply to several other kits:

Configuration options for all the usual parameters:
o Querystring parameters
o File paths (for payloads, exploit components)
o Redirect URLs
o Usernames, passwords
o etc.
MySQL backend
Blacklisting/blocking
o Only hit any IP once
o Maintain IP blacklist
o Blacklist by referrer URL
o Import blacklisted ranges
Auto update
Management console provides statistical summary, breaking down successful infections:
o by exploit
o by OS
o by country
o by affiliate/partner (responsible for directing user traffic to the exploit kit)
o by browser
Targets a variety of client vulnerabilities
AV scanning add-ons

Nasty as you can see, the main problem is the auto update function.
The exploit kit infects a compromised web-server and then lays in a redirect for a HTTP GET request for malicious PHP code generated by the kit, which will then try to infect your computer with a trojan script OR depending on the kit setup, will take advantage of JavaScript, PHP and Adobe vulnerabilities on that machine.

With the auto update function, the kit can alter its PHP code according to new threats exposed monthly - needless to say, dear god in heaven.

According to surveys if these can be believed, this sort of kit is now responsible for about 23% of malware infections on machines across the world (but who knows).

the good thing about this is, with a good set of IPS/IDS (intrusion detection) software, be that placed on a box or a network placed sensor, you can easily find out whose going to these machines or if you're compromised.
The PHP code pumped out by the exploit kit is fairly specific:

URI REGEX: [mM][aA][iI][nN]\2e[pP][hH][pP] (main.php)
Request REGEX: page=[a-f 0-9]{16}\2ephp (page= 16 hex characters ending in php)

with this, my company has been able to find users attempting to go to compromised web-servers upon seeing a script make-up like that.

Thats it from me, any web-admins please keep ontop of this and anyone thinking of security concerns on their network should invest in IDS systems depending on its size. They can save you alot of ballache.

Supporting documentation:
Blackhole exploit kit - Wikipedia, the free encyclopedia
http://sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf
Exploring the Blackhole exploit kit | Naked Security
 
Sweet hell. That's a big problem if it hits you lol. I have got a mass amount of encryption on all of my web servers so passwords or user names are useless to it unless it can decode AES-Twofish-Blowfish with a hash algorithm of Whirlpool.
 
nah, most of the webservers compromised just wernt set up very well. Neither were the computers who visited them that were infected lol.

For computers, upgrade your java and adobe installations regularly as well as configuring you're firewalls properly.
but then, not everyone does that.
 
Back
Top Bottom