Upload File

exploring the blackhole exploit kit · pdf filesophos technical paper: ... 9 2.3.4 payload ......

  • Home
  • Documents
  • Exploring the Blackhole Exploit Kit · PDF fileSophos Technical Paper: ... 9 2.3.4 Payload ... SophosLabs technical paper: Exploring the Blackhole Exploit Kit March 2012 Page 7 of
32
Sophos Technical Paper: Exploring the Blackhole Exploit Kit March 2012 Exploring the Blackhole Exploit Kit Executive Summary: Since it emerged in late 2010, the Blackhole exploit kit has grown to become one of the most notorious exploit kits ever encountered. This paper lifts the lid on the Blackhole kit, describing how it works and detailing the various components that are used to exploit victim machines infecting them with malware. The tricks used by Blackhole are uncovered and explained, with a view to explaining why the kit has become so successful. From how a user’s web traffic is controlled to how the attackers attempt to evade detection, the paper provides useful information for anyone looking to understand more about how Blackhole works. Author: Fraser Howard SophosLabs, UK [email protected]

Upload: trandiep

Post on 17-Mar-2018

221 views

Category:

Documents


3 download

Report

TRANSCRIPT

  • Sophos Technical Paper: Exploring the Blackhole Exploit Kit March 2012

    Exploring the Blackhole Exploit Kit

    Executive Summary:

    Since it emerged in late 2010, the Blackhole exploit kit has grown to become

    one of the most notorious exploit kits ever encountered. This paper lifts the lid

    on the Blackhole kit, describing how it works and detailing the various

    components that are used to exploit victim machines infecting them with

    malware.

    The tricks used by Blackhole are uncovered and explained, with a view to

    explaining why the kit has become so successful. From how a users web traffic

    is controlled to how the attackers attempt to evade detection, the paper

    provides useful information for anyone looking to understand more about how

    Blackhole works.

    Author:

    Fraser Howard

    SophosLabs, UK

    [email protected]

  • SophosLabs technical paper: Exploring the Blackhole Exploit Kit March 2012

    Page 2 of 32

    Table of Contents 1 Introduction ......................................................................................................................................... 3

    2 Blackhole Exploit Kit ............................................................................................................................. 3

    2.1 General characteristics ................................................................................................................. 3

    2.2 Exploits targeted ........................................................................................................................... 5

    2.3 Core kit components ..................................................................................................................... 6

    2.3.1 Controlling user web traffic ................................................................................................... 6

    2.3.2 Landing page .......................................................................................................................... 9

    2.3.3 Exploit components ............................................................................................................... 9

    2.3.4 Payload ................................................................................................................................. 12

    2.3.5 Traffic flow summary ........................................................................................................... 12

    3 Code Obfuscation ............................................................................................................................... 13

    3.1 JavaScript .................................................................................................................................... 14

    3.2 ActionScript ................................................................................................................................. 15

    3.3 Java .............................................................................................................................................. 15

    3.4 HTML ........................................................................................................................................... 16

    4 Tracking Blackhole ............................................................................................................................. 17

    4.1 Distribution of web threats ......................................................................................................... 17

    4.2 Sites hosting Blackhole................................................................................................................ 18

    4.3 Countries hosting Blackhole........................................................................................................ 19

    4.4 Abuse of dynamic DNS & domain registration services .............................................................. 20

    4.5 Hosting on compromised web servers ....................................................................................... 21

    5 Discussion & Conclusions ................................................................................................................... 21

    6 Appendices ......................................................................................................................................... 23

    6.1 Appendix 1: Deobufscated Blackhole landing page .................................................................... 23

    6.2 Appendix 2: PDF type 1 ............................................................................................................. 25

    6.3 Appendix 3: PDF type 2 ............................................................................................................. 27

    6.4 Appendix 4: Flash type 1 ........................................................................................................... 29

    6.5 Appendix 5: Flash type 2 ........................................................................................................... 31

    7. References ........................................................................................................................................ 32

  • SophosLabs technical paper: Exploring the Blackhole Exploit Kit March 2012

    Page 3 of 32

    1 Introduction Over the last few years the volume of malware seen in the field has grown dramatically, thanks

    mostly to the use of automation and kits to facilitate its creation and distribution. The term

    crimeware was coined specifically to describe the process of automating cybercrime. Individuals

    no longer profit just from writing and distributing their malware. Todays malware scene is highly

    organised, structured and professional in its approach. There are many roles which criminally-

    minded individuals can fulfil. Take fake anti-virus (scareware) as an example [1]; this class of

    malware is typically backed up by telephone support, professional quality GUI development and

    structured pay-per-install affiliate distribution systems [2]. Clearly this is a world away from the

    stereotypical image of a malware author from yesteryear.

    Kits are an intrinsic part of crimeware. They provide not only the tools for criminals to create and

    distribute malware, but also the systems used to manage networks of infected machines. Some of

    these kits focus on creation and management of the malware payload - Zeus is perhaps the best

    example of this [3]. Other kits focus on controlling user web traffic, for example the Search Engine

    Optimisation (SEO) kits [4]. A third class of kit are those that focus on infecting users through web

    attacks, specifically attacks known as drive-by downloads [5]. It is this latter group of kits that are

    commonly referred to as exploit kits or exploit packs (the terms are used interchangeably).

    In this paper I am going to describe an exploit kit known as Blackhole, which due to its prevalence

    over the past year has become the most notorious of all the exploit kits today.

    2 Blackhole Exploit Kit

    2.1 General characteristics There are several versions of Blackhole exploit kit, the first being v1.0.0 (released in late 2010 [6]),

    and most recent being v1.2.2 (released February 2012 [7]). The kit consists of a series of PHP scripts

    designed to run on a web server. The PHP scripts are all protected with the commercial ionCube

    encoder [8]. This is presumably to help prevent other miscreants stealing their code (there are many

    exploit kits out there which are little more than copies of others!), and to hinder analysis. The result

    of script encoding is obvious in Figure 1, which shows a snippet of a protected PHP script from a

    Blackhole exploit kit.

  • SophosLabs technical paper: Exploring the Blackhole Exploit Kit March 2012

    Page 4 of 32

    Figure 1: The effect of ionCube encoding on one of the Blackhole exploit kit PHP scripts.

    As you would expect, there is significant overlap between the functionality of the various exploit kits

    available. The general characteristics of the Blackhole exploit kit are listed below and as you can see,

    a lot of this could equally apply to several other kits:

    The kit is Russian in origin

    Configuration options for all the usual parameters:

    o Querystring parameters

    o File paths (for payloads, exploit components)

    o Redirect URLs

    o Usernames, passwords

    o etc.

    MySQL backend

    Blacklisting/blocking

    o Only hit any IP once

    o Maintain IP blacklist

    o Blacklist by referrer URL

    o Import blacklisted ranges

    Auto update

    Management console provides statistical summary, breaking down successful infections:

    o by exploit

    o by OS

    o by country

    o by affiliate/partner (responsible for directing user traffic to the exploit kit)

    o by browser

    Targets a variety of client vulnerabilities

    AV scanning add-ons (through the use of 2 scanning services, available as optional extras of

    course, this is business!)

    However, there are some features that are (or were at first release) unique to Blackhole:

  • SophosLabs technical paper: Exploring the Blackhole Exploit Kit March 2012

    Page 5 of 32

    Rental business model. Historically, exploit kits are commodities that are sold for

    individuals to then use as they desire. However, Blackhole includes a rental strategy, where

    individuals pay for the use of the hosted exploit kit fo


Supernova and blackhole

SOUNDGARDEN BLACKHOLE SUN GUITAR TAB Diamond Joe q.pdf

mathrick and blackhole mathematics

Stars & blackhole

Blackhole critical behaviour with thegeneralized BSSN ... · arXiv:1508.01614v2 [gr-qc] 18 Oct 2015 Blackhole critical behaviour with thegeneralized BSSN formulation Arman Akbarian1

KAPITEL 5 DNS-basierte Blackhole-Lists · DNS-basierte Blackhole-Lists DNS-basierte Blackhole-Lists (DNSBL) waren eine der ersten Techniken, die spezi-ell für die Bekämpfung von

2Q 2012 Security Roundup: It's Big Business and It's ... · (ATSs) and the Blackhole Exploit Kit to enhance the power of their respective ZeuS, ... electronics manufacturers, and

Coalition's $10b blackhole

Blackhole Notes

37 47 BlackHole

Blackhole Attack

2011 Blackhole

Solution of Blackhole Attack Good Ppt

Browser Exploit Packs - SecNiche Security Labs...Browser Malware Taxonomy Class A Class B Class C 8 Browser Exploit Packs – Viola ! 9 Experiments Conducted Target – BlackHole BEP

Security gets Personal - SS · Image:NASA . Blackhole v2 . Blackhole deliveries August – September 2012 . ... IDC BYOD Survey Australia 2012 . Reality . unaware that smartphones

Half Century of BlackHole Theory: From Physicists

VERIFICA DI SICUREZZA DEL 2°T 2012 Sono grossi affari e la ... · e Blackhole Exploit Kit per incrementare la potenza dei rispettivi ZeuS, SpyEye e altri botnet. Come previsto

The blackhole origins

The Invisible Web Unmasked - Trend Micro · the use of the Deep Web to hide illegal site networks. Lastly, the alleged Blackhole Exploit Kit author known as “Paunch” made headlines

Something About Optical Blackhole

Pirating Cyber Style. What is Ransomware? History CryptoLocker BlackHole Exploit Kit

E4G Mobile Blackhole

Blackhole Energy

Security Response in the Age of Mass Customized Attacksconference.hackinthebox.org/hitbsecconf2013ams/materials/D1T1 - … · Exploit kits BlackHole, Phoenix, Mpack, Crimepack, Eleonore

CONFERENCE: BlackHole: Robust Community Detection Inspired ...dm.kaist.ac.kr/jaegil/papers/icde16_blackhole.pdf · BlackHole. The source code is available at . com/jaegil/BlackHole

Detecting Blackhole and Volcano Patterns in Directed Networks

Bedienungsanleitung Blackhole LONELY · Blackhole Amplification Matthias Günthart CH-5000 Aarau // [email protected] Sicherheitshinweise - Röhrenverstärker erzeugen viel Wärme

BlackHole Exploit Kit Spam Runs in 2012 Presented at Ruxcon · 2019. 6. 8. · Stopping Detection (Web Reputation) Classification 10/22/2012 22 And TOR will not help either… From

Apakah Blackhole Itu

Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual

Analysis of Effects of BGP Blackhole Routing

TO GET SCHWARZSCHILD BLACKHOLE SOLUTION USING …people.du.ac.in/~pmehta/FinalSem/Deobratfinal.pdf · 1 to get schwarzschild blackhole solution using mathematica project report for

VRA-AODV: Routing Protocol Detects Blackhole and Grayhole

DOSfuscation: Exploring the Depths of Cmd ... - exploit … Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques white paper

TO GET SCHWARZSCHILD BLACKHOLE SOLUTION USING MATHEMATICApeople.du.ac.in/~pmehta/FinalSem/Deobratfinaltalk.pdf · TO GET SCHWARZSCHILD BLACKHOLE SOLUTION USING MATHEMATICA FOR COMPULSORY