How to Ensure Vulnerabilities Are Not a Gateway to Blackhole Exploits

Co-Author: Peter Coogan

Earlier in 2012, a patch was issued to correct a potential vulnerability in Parallels Plesk Panel version 10.3 or earlier, helping secure unauthorized access to the website control panel. While it is believed that this potential vulnerability is now patched, administrators who have applied this fix may have already been the victim of a compromise and had their login credentials stolen. Best security practice would be for administrators using Parallels Plesk Panel 10.3 or earlier to ensure they have up-to-date patches and change any login credentials that may have been exposed as a result of this vulnerability. They can learn more by reading Securing Parallels Plesk Panel: Best Practices to Prevent Threats.

Reports stated that, following a compromise, heavily obfuscated JavaScript is injected into HTML pages on the server. Once evaluated, the deobsfucated code generates a unique iframe using the code snippets shown in the image below each time the compromised Web page is visited. This injected code is similar to code we have talked about before in a blog post about the Blackhole Exploit Kit. Symantec customers visiting these compromised Web pages containing the injected code are protected by several IPS signatures, including Web Attack: Blackhole Toolkit Website 10.


As seen in the image for generating the iframes, there is a string of ‘runforestrun’ that remains constant in all the generated iframes.

Example generated iframe domains:

Symantec’s telemetry for July 2012 alone demonstrates we have protected customers against over 68,000 unique URLs containing this string which were leading to the Blackhole Exploit Kit. The following world heatmap indicates that the U.S. has seen the most detections:


Our telemetry in total for 2012 has also identified over 17100 unique IPs for the referral URLs leading to the generated iframes detected by Symantec. While we cannot definitively say how all the servers related to these IP addresses were compromised to serve up the generated ‘runforestrun’ iframes, it does show the relative size and success of this campaign. The following world heatmap shown below indicates once again that the U.S has hosted the majority of the referral URL IPs:


The injected iframes at one time followed link to a number of sites that contained redirects and forwards in order to deliver the final payload of Downloader.Parshell (a small executable that contains a hardcoded URL to effectively download additional malware onto the unsuspecting user’s computer). Among the additional malware downloaded are Trojan.FakeAV and Trojan.Maljava. Protection against a new variant of this Downloader is also available as Downloader.Parshell!gen1.

Symantec customers who use our Network-Based Protection Technology are proactively protected from the Blackhole Exploit Kit. If you are concerned that you may have been compromised after visiting a website, you can download Symantec’s free Power Eraser tool to aid in the removal of any infections.