The BlackHole Theory

Symantec has been monitoring the BlackHole toolkit, which has a powerful set of exploits and is spreading like wildfire. At present, it is the most prevalent exploit toolkit in the wild and can easily be compared with the likes of Neosploit and Phoenix in terms of the number of affected users.

In recent times, BlackHole has clearly emerged as the most used toolkit among hackers. The following IPS graph proves this fact, since more than 100,000 malicious hits are reported each day:


End-to-end Analysis of the BlackHole Exploit Kit


•    When a victim visits a clean site that has been injected with a malicious iframe, the iframe redirects the user to the BlackHole exploit kit server. The figure below shows the obfuscated iframe script:

Here is a decoded version of the script:

•    BlackHole uses the below technique to obfuscate the exploits. The page contains a large array inside the <textarea>. When decoded, the array results in various exploits for popular vulnerabilities such as PDF, JAVA, HCP, MDAC, etc.

The below image shows the code that decodes the array. The variable “ivtl” contains the string “url(data:,va….” after the “.match()” method. The String “wjw = g["e"+ivtl.substr(0,2)+"l"];” results in “eval” as “ivtl.substr(0,2)” evaluates to “va”. String “s”, which contains the decoded script, is passed to “wjw” to be executed.

•    The page contains the code that redirects the user to download a malicious jar file. One of the classes inside the jar file extracts the value passed to it in the script, and then decodes it into a URL:  

The below images show the code inside the jar file:


The decoded string has the pattern “d.php?f=[0-9]{1,2}&e=[0-9]{1,2}”. This URL is then used to perform other malicious downloads.

•    The URL downloads Trojan.Carberp, which is a highly sophisticated Trojan that is being compared to ZeuS because of its ingenious techniques for avoiding detection.

•    The Trojan posts a unique ID to the command-and-control (C&C) server that will be used every time a transaction takes place between the Trojan and the C&C server. The URL has the pattern “/set/task.html

•    Next, the Trojan will post all of the running processes on the victim’s computer to the C&C server. The URL has the pattern “set/first.html” and the data posted has the pattern “id=(Unique number posted on /set/task.html)&os=(Name-version of OS)&plist=(List of all running processes)”

•    The Trojan then downloads three modules:

1) stopav.plug – This module disables the antivirus installed on the victim’s computer.
2) miniav.plug – Checks for the presence of other Trojans, such as Zeus, and if found, the Trojan deletes its  competitor(s).
3) passw.plug – It will hook the export table of a number of WININET.dll and USER32.dll functions and will log every username/password combination that is typed, as well as any URLs visited.

•    The C&C server sends the “multidownload” command to the Trojan:

•    The first file downloaded (1.exe) is Trojan Hiloti (a.k.a. Trojan.Zefarch), which makes requests to a free file-hosting site. One of the patterns of the domain is “[a-z0-9]{12]”. The request page has the pattern “/get2.php?c=[A-Z]{8}&d=<long Hex String>”. The server always replies with “File Not Found” upon retrieval of the requested file.

•    The second file downloaded (2.exe) is FakeAV:   

The good news is that Symantec customers are protected from this attack. Symantec IPS and AV engines have generic detections for BlackHole's traffic, exploits, Trojans, and the rogue application FakeAV. Today, the crimeware industry maintains a fully fledged business model and the BlackHole exploit kit is a very good example of the business model's sophistication and distribution. Exploit kits pose a great challenge to security vendors, considering the ever-increasing list of modern exploits and ever-changing obfuscation techniques. Thus, we at Symantec urge the readers to install all security patches and definitions regularly. For more information, please see our recent Attack Toolkits and Malicious Websites report.

Note: My thanks to the co-author of this blog, Parveen Vashishtha.