The BlackHole Theory

Symantec has been monitoring the BlackHole toolkit, which has a powerful set of exploits and is spreading like wildfire. At present, it is the most prevalent exploit toolkit in the wild and can easily be compared with the likes of Neosploit and Phoenix in terms of the number of affected users.

In recent times, BlackHole has clearly emerged as the most used toolkit among hackers. The following IPS graph proves this fact, since more than 100,000 malicious hits are reported each day:


End-to-end Analysis of the BlackHole Exploit Kit


•    When a victim visits a clean site that has been injected with a malicious iframe, the iframe redirects the user to the BlackHole exploit kit server. The figure below shows the obfuscated iframe script:

Here is a decoded version of the script:

•    BlackHole uses the below technique to obfuscate the exploits. The page contains a large array inside the <textarea>. When decoded, the array results in various exploits for popular vulnerabilities such as PDF, JAVA, HCP, MDAC, etc.

The below image shows the code that decodes the array. The variable “ivtl” contains the string “url(data:,va….” after the “.match()” method. The String “wjw = g["e"+ivtl.substr(0,2)+"l"];” results in “eval” as “ivtl.substr(0,2)” evaluates to “va”. String “s”, which contains the decoded script, is passed to “wjw” to be executed.

•    The page contains the code that redirects the user to download a malicious jar file. One of the classes inside the jar file extracts the value passed to it in the script, and then decodes it into a URL:  

The below images show the code inside the jar file:


The decoded string has the pattern “d.php?f=[0-9]{1,2}&e=[0-9]{1,2}”. This URL is then used to perform other malicious downloads.

•    The URL downloads Trojan.Carberp, which is a highly sophisticated Trojan that is being compared to ZeuS because of its ingenious techniques for avoiding detection.

•    The Trojan posts a unique ID to the command-and-control (C&C) server that will be used every time a transaction takes place between the Trojan and the C&C server. The URL has the pattern “/set/task.html

•    Next, the Trojan will post all of the running processes on the victim’s computer to the C&C server. The URL has the pattern “set/first.html” and the data posted has the pattern “id=(Unique number posted on /set/task.html)&os=(Name-version of OS)&plist=(List of all running processes)”

•    The Trojan then downloads three modules:

1) stopav.plug – This module disables the antivirus installed on the victim’s computer.
2) miniav.plug – Checks for the presence of other Trojans, such as Zeus, and if found, the Trojan deletes its  competitor(s).
3) passw.plug – It will hook the export table of a number of WININET.dll and USER32.dll functions and will log every username/password combination that is typed, as well as any URLs visited.

•    The C&C server sends the “multidownload” command to the Trojan:

•    The first file downloaded (1.exe) is Trojan Hiloti (a.k.a. Trojan.Zefarch), which makes requests to a free file-hosting site. One of the patterns of the domain is “[a-z0-9]{12]”. The request page has the pattern “/get2.php?c=[A-Z]{8}&d=<long Hex String>”. The server always replies with “File Not Found” upon retrieval of the requested file.

•    The second file downloaded (2.exe) is FakeAV:   

The good news is that Symantec customers are protected from this attack. Symantec IPS and AV engines have generic detections for BlackHole's traffic, exploits, Trojans, and the rogue application FakeAV. Today, the crimeware industry maintains a fully fledged business model and the BlackHole exploit kit is a very good example of the business model's sophistication and distribution. Exploit kits pose a great challenge to security vendors, considering the ever-increasing list of modern exploits and ever-changing obfuscation techniques. Thus, we at Symantec urge the readers to install all security patches and definitions regularly. For more information, please see our recent Attack Toolkits and Malicious Websites report.

Note: My thanks to the co-author of this blog, Parveen Vashishtha.

Hidden Bandit Inside Neosploit

Over the last few years, Symantec has observed a substantial rise in the use of exploit kits. There are several kits that have come and gone, but a few of them have survived the competition—Neosploit being among them. This blog will discuss the Neosploit toolkit's specific functionality of employing JAR files to deliver malicious files.

Neosploit was first seen by Symantec in March 2007. Since then, the kit has evolved to be one of the "finest" exploit kits to date. Malicious users have never stopped using this kit, despite the fact that there is news that this infamous toolkit’s development has been shut down.

Neosploit exploits various client-side browser vulnerabilities. By and large, Neosploit's malicious users will plant obfuscated JavaScript on legitimate sites. When an innocent user visits a compromised website, he or she is unknowingly infected.

Neosploit uses a variety of techniques for obfuscation. Among these techniques, the most prevalent one (which is still found today) is the “Twitter trends” URL-generation trick. During runtime, the obfuscated script de-obfuscates itself and obtains Twitter trends results. It subsequently uses the data to build a dynamic URL that is used to reach the Neosploit server. The script first uses the data from Twitter to form a variable ‘ShiftIndex’. It later uses the same variable to build the URL. In Figure 1.1, below, we can see how the script uses Twitter trends to form the 'shiftIndex' variable:


Fig 1.1: De-obfuscated script that makes use of Twitter trends

When the ‘shiftIndex’ variable is evaluated to be greater than “0”, it goes into a loop that builds the URL using a set of predefined ARRAYS and certain mathematical calculations. The final URL for the Neosploit server is in the variable “r”, as shown in Figure 1.2.

Fig 1.2: De-obfuscated script that builds the URL

The browser then reaches out to the Neosploit server that serves the exploits. Exploits are primarily in the form of PDF or JAR files. The subsequent trick is in the JAR file, which hides the source from which it downloads the malware. The malicious URL is hidden under the ‘Specification-Vendor’ attribute of the MANIFEST file of the JAR archive. Figure 1.3 shows the ‘Specification-Vendor’ attribute’s data.

Fig 1.3: MANIFEST file

When the JAR file is executed, it fetches the ‘Specification-Vendor’ attribute from the MANIFEST file using the ‘getResources’ and ‘getvalue’ functions. A legitimate ‘Specification-Vendor’ attribute is a string that identifies the organization that maintains the extension specification. In this case, Neosploit evidently abuses the use of this attribute. Figure 1.4 shows the Java code that fetches the ’Specification-Vendor’ attribute’s value from the MANIFEST file.

Fig 1.4: Code fetching data from MANIFEST file

When decoded, the extracted string from the MANIFEST file gives the URL, which is downloaded to a file under the ‘%temp%’ directory. Figure 1.5 shows the decoded URL:

Fig 1.5: Decoded URL

The file that is downloaded into the ’%temp’% directory is identified as “msitcm.cpl.” Figure 1.6 shows the Java code that saves the file into the ‘%temp%’ directory:

Fig 1.6: Java code

Java later registers the ‘.CPL’ with ‘regsvr32.exe’. Figure 1.7 shows the Java code that registers the downloaded ‘.CPL’ file through regsvr32.exe:

Fig 1.7: Java executing msitcm.cpl

msitcm.cpl downloads other malicious files onto the machine, which generally results in the installation of a fake antivirus application.

Fig 1.8: Fake antivirus application

The good news is that Symantec customers are protected from this attack. Both Symantec IPS and AV engines have generic detections for the requests that are sent and the files that are downloaded.

For more information, see our recent Attack Toolkits report.