The exploit kit sends heavily obfuscated JavaScript code with Java applet code, which will download a malicious JAR file to the system. Here is what the code looks like:
The above JavaScript code is formatted for better viewing. It is heavily obfuscated to avoid antivirus detection. If we decode the content, we see that the kit is targeting a recent vulnerability in Java. The VirusTotal result for above “.jar” file is very poor with only 2 antivirus engines triggering on it. Here is the decoded part of the script,
The above decoded JavaScript targets CVE-2009-1671. It will download a malicious binary called “info.exe” from the server and execute it on the system. The VirusTotal result for this file remains poor at only 47%. There is also another Iframe attack in the decoded JavaScript code.
The above code will append the malicious Iframe to the body of the webpage, which points to another malicious URL. The above malicious URL contains yet another malicious URL in an ASX file format. This is intentionally done to avoid a user prompt. Here is the source,
This URL then sends more obfuscated JavaScript code exactly like the second image of the blog. Once decoded it shows JavaScript code which targets CVE-2010-1885. Here is the decoded script,
We have seen many similar web exploits kits in the past and attackers are coming up with new ones like Blackhole with more features and reliable and undetectable exploits all the time. We are also seeing large number of malicious domains hosting Blackhole exploits kit. The detection ratio is generally very poor for malicious binaries contained in the kits. Even though the price of this exploit kit is high, it remains a sought after commodity.
Umesh
Posts
114 comments:
I was using chrome, viewing a popular UK website about celebrity news and the blackhole kit exploit was blocked by AVG. What damage could be done by this threat and why is it on a popular website or in chrome?
That's good that threat is blocked by your Antivirus. The damage can be like compromising your system, stealing your confidential data etc. If you remember the website address, please email to me uwanve@zscaler.com for further analysis.
i got pop up while using chrom also, but this was when i was trying to access my emails on hotmail, the webpage didnt even connect the pop up appeared and said page couldnt be found
Hi, same Anonymous as before. I just got the AVG blackhole exploit kit warning from using hotmail, so I am worried that I may well be infected from my own PC, not an outside website. Do you think Chrome could be the issue? Internet Explorer can be slow, but if it's safer... I'd pick the tortoise over the hare everytime.
Different person. I use IE and just received a "AVG Blocked" message while using hotmail. Never seen this before and was receiving a text-to-email from someones cellphone.
This Morning I got a pop up from AVG saying it blocked BlackHole Exploit kit, it happened right after I logged into hot mail as well, I ran AVG and got no other signs of infection I also ran Malware Bytes and it came up negative
@ all Anonymous
If the AVG triggered and blocked then you are safe. But I am curious to know all are getting pop up during hotmail. In such case please email the url, text or any other page details of the website where the AVG triggered to uwanve@zscaler.com
Also got pop up from AVG when on hotmail this morning..but came up only after opening up message from one of those companies that offers coupons for a deal of the day.
I've had a message that AVG has blocked Exploit blackhole exploit kit (1883) happen whilst on Hotmail this Sunday and last sunday. To be honest, I am a bit concerned as my Hotmail account was recently hacked and proceeded to spam all my friends and then delete my contacts list.
i got it while playing "snowball fight" on facebook...never seen it before today....AVG 2011 blocked it
My first post here: It's happened twice on my computer. The first time was two days ago and then again today. Both times I was in Hotmail (seems to be a theme).
AVG blocked it and locked up my browser (IE). Full scans found nothing. The first time I clicked on "further info about this threat" in the AVG warning and tried searching their library with their suggestions in the warning but found nothing. Next time I'll save the long url they suggested in their warning and post here. BTW, my original warnings called it "Type 1384" but later it seemed to be labeled "Typw 1889"....I think...
@ All.
thanks for passing the emails. Most of you have been protected by AVG and the mentioned URL's are hosting Blackhole exploits.
I am new to this stuff so can you please help me and tell what tool/technique you used to deobfuscate this javascript.
@ Anonymous
I mostly use Malzilla a good tool to decode the JavaScript. Sometimes I do manual analysis as well. We do have some internal frameworks for de-obfuscating the contents. Use malzilla for better understanding.
from a new "anonymous":
I keep having this Blackhole Exploit warning coming up from AVG (blocked by AVG) on this URL:
http://hubpages.com/forum/topic/13065?page=2
The AVG warning also contains the following info:
"URL: mld.co.cc/index.php?tp=7903472c292fded4
Name: Blackhole Exploit Kit (type 1889)"
I just got the same blocked threat from AVG while on the homepage of facebook.
Can it be found by McAffee?
Original Anonymous back,
I uninstalled Chrome after my last post and NO blackhole exploit warnings from AVG since. I tried IE9 yesterday WHICH SUCKS, so have moved to Mozilla Firefox and like it. I think AVG and Chrome came into conflict somehow, but I believe this is a chrome communication error that AVG thinks is malicious... Just an unfounded suggestion.
@ Anonymous
I am not sure about Mcafee.
@ Original Anonymous
It may not be issue with Chrome and AVG rather you must be came across infected site and AVG triggered on it. Firefox and Chrome can sometimes warn you about the malicious sites while browsing.
I got the same message whilst visiting a cricket stream at crictime.com
From another anonymous
Here's another link that AVG will block with the warning of a Blackhole Exploit Kit.
http://sephoracoupons.co.cc/c308
129.121.32.26/home/index.php
was while I went to a website called joecanuck and entered their forums.
avg blocked and it was called exploit blackhole exploit kit (type 1889)
Only site I have seen it on from my usual web browsing.
My AVG 2011 just blocked "Exploit Blackhole Exploit Kit" (plus a type number that I forget) at this site:
www.worldfest.org
This is the website for the upcoming Houston International Film Festival, which should get lots of visits.
Steve Kennedy
Deer Park, TX
Hi, I use IE7, gmail, and AVG (for your FYI and stats).
Clicked link within email going to WebMD
URL visited: http://forums.webmd.com/3/neurology-general-neurology-questions-and-support/forum/89?@guest@
Exploit error occurred right after an ad loaded for "Culturelle" on left side-bar.
I had to close top warning box in order to maximize the page; I didn't copy the first warning which sat atop the 2nd warning.
2nd warning was---
AVG Surf-Shield message directed to "follow one of the suggestions below to continue:
URL: roge2.cx.cc/index.php?tp=120d964da3a16988
Name: Blackhole Exploit Kit (type 1384)
Have bmp screenshot if you want it.
Tried mailing customer service for WebMD - mail returned.
I think you guys shouldnt get on hot mail it seems like nothing but trouble get on yahoo instead
@ Steve Kennedy
Thanks for passing the link. Worldfest was infected with malicious contents. I posted a blog about it. Worldfest removed the bad code after the blog.
@ Anonymous
The site exactly looks like blackhole exploit site. roge2.cx.cc/index.php?tp=120d964da3a16988
AVG blocked it for you.
Hi,
Just call me AnonymousD.
I just got the same AVG threat blocked message from a site our company previously designed, the file infected was global.js. The code I pulled out of the js was:
[couldn't post, too long]
Well, it probably won't let me post it all, but hopefully the mod can see it.
It was infected at 8:20am on Apr 8th, 2011.
TY and GL
-D
Send me an email Umesh, and I can send you the entire js file, if you're interested.
-D
Hi..
I wasn't using Chrome, I was using Firefox..
And it was on a famous website..: deviantART (dA).. So I don't understand... ... But yesterday, while I was doing a research on Google, I clicked on lots of unknown websites... And that research was the last think I did before I turned off the computer.. And today, 10 minutes after having my computer on, this threat appears.. I don't know if it's related somehow.. I don't understand anything about viruses..
The specific URL was..: http://www.deviantart.com/#/d3dmt2v
Using Firefox and doing a google search then clicking on the websites in my search I've come across 4 Blackhole alerts :/
Managed to get the URL of one of them:
http://coralreff.cz.cc/QQkFBwQEDAUHDQMHEkcJBQcEBgIGBQAEBA==
Is there any way to fix this or use an antivirus so it doesn't happen again?
Thanks
-A
Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,Risk Name,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
4/13/2011 6:59 AM,High,An intrusion attempt by 0s1.cz.cc was blocked.,Blocked,No Action Required,Web Attack: Blackhole Toolkit Website,"0s1.cz.cc.This was blocked by norton after looking at article on yahoo.
Hey,
Was using hotmail once and got the message, the other time was when looking up images ('im a gfx artist) and do work on forums for people. AVG blocked the blackhole hit while ont his image on imageshack I believe. I looked and it said it was located in my programfiles (Internet Explorer)
I'm currently using EI9, so this isn't a good sign.
i got the exploit blackhole exploit kit pop up while on facebook and use firefox 4.0
i got the exploit blackole exploit kit popup from avg while on facebook and using firefox 4.0
why does all these comments only have detection by AVG?
@ Movie Torrents
Most of them are using free AVG version and it is able to block large number of blackhole exploits.
@ susieq
Please be sure which pages are opened while AVG popup and email me any URL's you found suspicious. You will find my email in the comments
Getting blackhole exploit kit attack (2008) from:
mongth.com/main.php?a=3b627d63efed55ba
URL: aaarrr22.cz.cc/index.php?tp=592e406c7cea87e8
Name: Blackhole Exploit Kit (type 2008)
URL: aaarrr22.cz.cc/index.php?tp=592e406c7cea87e8
Name: Blackhole Exploit Kit (type 2008)
I am using IE 8 and got the warning Blackhole Exploit Kit
At MSN/fox sports. Aperantly
AVG blocked it.
Steve
since yesterday that is April 24th i 'm getting a LOTS of blackhole kit exploits type 2005, 2008 etc. i am getting such threat while reading yahoo news, searching with google, i see incomplete webpages without proper page layout just some scattered text, i 'm using IE9 and Firefox4. Although AVG is able to protect but since yesterday April 24th or 23rd i have seen unusual number of attacks. feels odd why all of a sudden i 'm getting such virus threats. sometimes i need to reload webpage several times to see it and sometimes it keeps showing, Connecting........ why the webpages didnt load up at once ? why they take several reloads before being properly load up ? why it keeps saying Connecting Connecting and then " The connection has timed out " ?? i got this error several times.
yes i m getting a lot of threats whether i use firefox4 or ie9. specially google search showing lots of blackhole exploits. like this one.
http://www.google.com.pk/search?q=chinese+chana+pickup&hl=en&client=firefox-a&hs=OYL&rls=org.mozilla:en-US:official&prmd=ivns&source=lnms&tbm=isch&ei=eWW1TZrnOofKrAeN7tjIDQ&sa=X&oi=mode_link&ct=mode&cd=2&ved=0CA4Q_AUoAQ&biw=1100&bih=625
@ Latest Anonymous
Can you remember exact URL's visited? Can you take some screenshots of webpage and AVG popup? If possible please collect all possible data and email to me for further analysis. I can be reached at uwanve@zscaler.com
@ steve K
Can you email me the exact URL and possibly screenshot?
xen said...
Hey using FF 4.0. and got "Blackhole kit Exploit (type 2005)" at www.darklyrics.com.
I use this site all the time and I have not gotten any warnings from AVG there(I'm using AVG).
I haven't gotten it anywhere else just here so far.
hi i had AVG popping up every 10 or so seconds just now saying this:
Threat blocked from: citymartonline - Threat type: Exploit Blackhole Exploit Kit.
ive never been on that site and i didnt find much when i googled it either. help pls? :)
Today http://steakfacegames.com/ appears to be afflicted with some code that wants to download a file and open a pdf-document. Another visitor said that their AVG had called it a blackhole exploit. The main page has also been reported, but that warning doesn't seem to work when a game is linked directly, though that's when I encountered the problems.
norton popped up with a warning that it had detected a intrusion attempt from headoo.cz.cc193.105.154.235,80
and blocked it.
Norton just detected an intrusion attempt on my PC 15 minutes ago.
I use Mozilla and Norton's report says:
Web Attack: Blackhole Toolkit Website.
Attacking Computer
buop5.cz.cc (194.247.183.130.80).
Attacker URL
buop5.cz.cc/forum.php?tp=76d7830c46e88231.
I am using Firefox 4.0.1. Twice now AVG has blocked access on msnbc's home page. The first time a couple of weeks ago, and just now, May 4, 8:20pm cst.
I got blocked by Norton from the Malicious Toolkit 9. The address both times in a matter of minutes that it happened was 193.105.154.236. I hope because I was blocked that my computer is o.k. This also happened to me this morning.
I also wanted to say that two earlier attempts were made from the same address - 193.105.154.236 -- earlier this morning. I wanted to check the address to make sure it was the same before posting. In both cases with these blocked attempts of the "malicious toolkit website 9" virus, they happened 4 minutes apart. It makes me nervous that there is some vulnerability in my computer - something left open in my firewall - although thankfully my antivirus software caught it. I am doing a full scan now but so far, it has found nothing but the usual cookies.
Use Firefox and AVG Free. Got blocked on site http://www.helwigcarbon.com/ the Spanish version.
URL: peru-pcb.com/jquery.js
Name: Blackhole Exploit Kit (tpe 2014)
Hi, am getting continuous blackhole exploit kits which were blocked by AVG, for different websites. AVG says the url is www.google-analytics.com/ga.js
Can you tell me why this is happening as it is very frequent
As others have mentioned. I just got it on chrome while on my hotmail. Avg picked it up and blocked it.
Here I am again - this time received block by Norton from address 79.170.40.36 -- Malicious Toolkit Iframe Injection. I was on jewelrymaking.allinfoabout. Don't know why I seem to keep getting attacked on all these different sites, although thankfully my AV software has picked it up to date. (BTW I use IE7 and was using Google browser). Could there nonetheless be something hidden in my harddrive that a scan hasn't picked up - can anyone answer this question?
Ive had this twice in two days - one is a site I know (belongs to a friend of mine) & the other was following a google image search for a wardrobe! AVG 2011 blocked it both times.
Any recommended tools/cleanup procedures for sites that have had the iframe injected? Using server-side tools like clamAV and rkhunter we haven't been able to find anything (after a few users reported blackhole alerts)
What attack vector is this exploit using on servers?
@ adin
Generally don't rely on Antivirus. You will have to check out for source pages for possible bad code manually. Attackers can inject malicious code by taking advantages of known/unknown vulnerabilities or also they can modify pages by stealing FTP passwords.
Hey, I got same msg on my AVG 2011 and it blocked around 4-5 Blackhole Exploit kit (type 2022) But unfortunately yesterday i lost my gmail, hotmail, Alertpay accounts. But thanks to recovery option available there, i recovered everything in 10minutes. But hacker did put his email in email forwarding option. So this threat/virus is very dangerous in stealing your information.
Did anyone else noticed, why only AVG members getting this? i scanned PC with AVG, no virus found.. i uninstalled it completely and installed Avira and it caught 48 virsus on my PC. I think in paid, Kaspersky internet security is better option over AVG Internet security. And in freebies, i think Avira did the best job.
In respone to the last post and the question - "why do only AVG members get this" - I'm not very tech savvy, but if I'm understanding your question correctly, then let me answer that to say they don't. I use Norton AV software and have also gotten a number of blocked attempts. (See my several posts above.) I'm wondering if it has to do with the browser I'm using and thus, wondering what browser others are using. I'm using the older IE7 and recently got an email from Paypal that I should update because there have been a lot of security issues with the browser I'm using. Howeber, when I updated to IE9, I hated it so much I immediately uninstalled it and am now trying to decide why to do next - maybe Mozilla Firefox? Anway, it's not just AVG users who are getting these messages and attempted attacks.
I just sent you an email with the URL where I got the AVG "Threat blocked" message for Blackhole. That URL, if anyone else is interested, is http://freewowguide.org/wow-death-knight-guide-talents-specs-and-rotations-for-patch-4-0-1/ and just yesterday I visited and got no AVG block.
I use Chrome v12.0.742.100, run on Win7 64bit, and only yesterday applied all of the several latest Windows Updates as well as the latest Adobe Reader (not sure of version) and Java updates (v26 if memory serves).
Thank you for your informative posts & helpful attitude here :)
Shiny,
As with loads of others I rarely use my internet but when I get the backhole toolkit blocked by Norton... you guessed it HOTMAIL. The message I recieve is:
Backhole Toolkit Wbsite.
hercules.co.be (193.105.154.239, 80)
hercules.co.be/index.php?tp=39f5373c9a2e07df
source address 193.105.154.239
this is the source address not the destination address so it's not something on my pc as mine destination address is not the source address.
Note reads, network traffic FROM hercules.co.be matches the signature of a known attack. The attack was a result from \device\harddiskvolume1\program files\internet explorer\iexplore.exe
I use very little on the internet as keep getting this but only on Hotmail.
Here is a reputable French website which AVG is also blocking due to blackhole kit detection (2014) http://www.mc-conseil.fr/
Should I try to let thme know their site is compromised?
Here is a reputable French website which is also being blocked by AVG due to |BlackHole Exploit Kit (2014) detection.
http://www.mc-conseil.fr/
Should I try to let them know their site is compromised?
@ Rob Marshall
It is also blocked by Google Safe Browsing. Yes. you can email them about infection
....I was attacked (but AVG saved me) by a misspelling of the site memegenerator.net:
The exploit site was memegenrator.net....
AVG just blocked a Blackhole exploit Kit at the URL:
www.slavemissi.com
My site about cheap web hosting which can be found at http://best-inexpensive-web-hosting.com was also attacked by this blackhole. My web host is currently restoring the backup of one week ago. Hope it helps!
I get an avg block at flying-web.net
Hey need some advice. Got hit with a trojan virus called Exploit Blackhole Exploit Kit. I tried following step-by-step removals online but ended up not even being able to start windows. I formatted the drive, but it's still not gone. I downloaded AVG and Malwarebytes which seems to be stopping any actions the virus is trying to take. Malwarebytes identified it and said it removed it successfully. Windows wouldn't start again upon reboot, but started after shutting down one more time. Upon startup, all my antivirus software was gone and I had to reinstall. Now none of the programs are identifying that there even is a trojan, but Malwarebytes is still continuously blocking malicious sites that are trying to open.
I am too inexperienced to really know what I'm doing if I try to remove it manually. Any recommendations on how to remedy this?
When you google "Charice shuts down Oprah with powerful performances" and visit the URL of the first website at the top of the search results an AVG window popped up.
I was on Firefox 7.0.1 with AVG free (version 2012.0.1831) which blocked the Blackhole Exploit Kit (type 1889)
with File name: edthosting.ce.ms/main.php?page=64a30cd969b37792
Clicking on "More Info" link provided by AVG comes up with nothing more about this threat.
hello, can you help me please. we run a business, via www.k9help.net which is now being blocked by the "malicious toolkit website 9". I have abosulutely no idea how to remove this, who to contact to have the script removed, in fact no idea of what to do next. Could you please give me some help and advice, our business is being effected, not sure who else to ask.
Thank you, Richard Grant
Ive been getting hit with this exploit blackhole at the least 6 time a day....
Thanks to the antivirus hackers can blocked now..
I was attempting to open a video required by my jazz history class when AVG alerted me of a Blackhole Exploit kit. I have read many of these comments and no one else has appeared to have been made aware of this threat as a result of a video. Could this mean that the virus has been developed to affect a larger variety of files since its conception? The file in question was a .php if that helps
I just got this while gaming on Facebook. The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.
URL: h4r29h.com/ai8r643.php
Name: Blackhole Exploit Kit (type 1889)
Hi, I was recently visiting a website called PSPISO and it came up with the blackhole exploit threat. Can i still visit this website ? or will i get the virus
i tried to visit www.sulit.com.ph, a popular ebay-like website here in the philippines. chrome suggested not to continue because it has found the russian blackhole exploit kit:
aswaz.ddns.name
@ Anonymous
If you got the alert, report this to site owner. And don't visit that site unless, they remove the bad code.
@ nev
Thanks for the comment.But the site is opening in Chrome for me. I didn't find any bad code on that site. If you can recheck and post back, will be good.
I also got the threat blocked by AVG. the url i usually go to, which is saved in my firefox is im.chikka.cm.. the threath also say that the infected file is my firefox.exe? how is that possible if the threat does not always appear?
im.chikka.com is also infected by blackhole exploit kit but was blocked by my avg buy not always being blocked. i got infected and got to reformat my drive c. i hope it will be the last time i re-format.
Using firefox and Windows XP
I am getting "type 1889", however I think this is just not a case of infected sites-there is some sort of browser hijack involved. Quite a few times I have pressed the back or forward buttons on Firefox and have then be hijacked to a site I have never seen before. Same for doing Google search: I click on a "reputable link" to wikipedia or what have you and get redirected.
However nothing is showing up with AVG or Spybot S&D
AVG blocked this Blk.Hole bullsh** for me while visiting my bookmark on firefox to a very useful site named allofcraigs.com. I wonder if it came from a listing or.. the site itself?
i'm using avg 2011 and comodo firewall avg popped up and said it caught blackhole but was not option to remove it. then thing popped up asking for administrative access. but if i don't accept it won't go away then i did accept and antivirus and firewall shut down. i shut down and did a system restore then scanned my system, avg found like 10 viruses 1/2 of which it can't remove so i moved to the vault malware found 6 viruses and windows defender found 4. i was usung a program paltalk. i think it maybe a direct thing from paltalk. any ideas how to prevent this it happened 3 times already i thought the antivirus would help no such luck
I think it has been well-established that there is a problem - what is lacking in this thread is explicit information and methodology to resolve the problem. I'm no expert, however these attacks are so much of a drain that I'm thinking of becoming one. Here's my case so far ...
GIVEN:
index.php with no off-site includes
all files scan clean of nasty code
AVG Free scans clean on entire local PC
SYMPTOM: Exploit Blackhole
OBSERVATION: load page, watch msgs on status line/area, page APPEARS TO COMPLETELY LOAD, then more msgs appear reflecting access to unknown 3rd-party site. iFrame "clue" is near lower/left corner of page. View Page Source shows nothing, however right click on the "clue" and Inspect Element shows iFrame with the rogue link.
THE WEIRD BITS:
1) scan with Google Safe Browsing Diagnostic says the page is clean
2) quick check using FTP to view and download the page shows no defect - there is no iFrame/JS code, and the file has not been touched (and I mean that in the technical sense).
THEORY #1:
Clever bugger is hiding somewhere on the client side, compromising the browser(s) themselves. Firefox 5.0, Chrome 15.0.874.121, and for good measure IE 6.0.2900 which I am loathe to update.
Is there code (java?) that all three might use or call in performing their tasks?
THEORY #2:
Web page is f'kaked and I can't see it - furtive code, hidden characters, no idea really. Would need a simple reliable tool to scan the entire site - live and/or local
.
POSSIBLE SOLUTION:
This is where Zscaler and the rest of you chime in. We don't need many more testimonials, we need science of a computer type.
http://karkkilanseurakunta.fi
This domain is currently under the BlackHole Exploit.
Reported by Symantec Endpoint Protection when I was being cheated by a spam containing a link to this domain.
I got the same thing on AVG when i logged in to CHIKKA MESSENGER.what could it do to my computer?please help!
A WEEK AGO I DOWNLOADED PALTALK. I HAVE USED IT TWICE. BOTH TIMES NORTON NOTIFIED ME THAT IT BLOCKED A BLACKHOLE ATTACK FROM PALTALK MESSENGER. AM I IN DANGER? IS PALTALK SAFE? I HAVE TAKEN A SCREEN SHOT OF THE NORTON DETAILS ABOUT THE ATTACK AND I WAS GOING TO SEND IT TO YOU BUT I DONT KNOW HOW. PLEASE LET ME KNOW IF YOU NEED IT. CAN YOU PLEASE GIVE ME AS MUCH INFORMATION AS POSSIBLE AS TO WHETHER I AM SAFE USING PALTALK AND WHAT CAN I DO TO PREVENT GETTING INTRUDED FROM THE VIRUS. THANK YOU VERY MUCH, MARIANNA
Using IE9, accessing site www.slipstreamtv.com, useful for for sport veiwing, full of popups and adverts and must have clicked on one, Norton AV message "an intrusion attempt by 86.63.168.105 was blocked", more detail advised that it was a "Web Attack: Blackhole Exploit Kit Website 11", ip address traces to Latvia.
Is it safe to delete the info.exe files?
http://www.atimes.com/
Asia Times triggered it for me.
I am a web developer and my site has come under attack. I have repeatedly removed the file(s). and it will go for weeks/months without any infections, then all of suddenly like clock work the virus will popup again.
How can you decode the obfuscated code?
I do have a copy of the code. If you want to see it.
How can a scan a linux machine for the malicious code.
I am a web developer and my site has come under attack. I have repeatedly removed the file(s). and it will go for weeks/months without any infections, then all of suddenly like clock work the virus will popup again.
How can you decode the obfuscated code?
I do have a copy of the code. If you want to see it.
How can a scan a linux machine for the malicious code.
@Enlightenment Umesh is not at Zscaler anymore. You can send me the code (please put it in ZIP file with password to not able blocked by the AV) to jsobrier @ zscaler.com. I'll analyze it and will send you more details.
I am using Firefox, and I've had AVG 2012 trigger and block this "Blackhole Exploits Kit" almost a dozen times. Seeing how I've had that blasted "Windows Security 2012" virus, I'm glad that AVG is doing it's job. So far, the Blackhole Exploits virus can't seem to bypass AVG.
I get on FB a lot, and don't do to much web browsing, but it looks like FB is the main culprit for me. I think it's been hacked (Yet again) as have numerous E-mail services. I would recommend to those of you who don't have AVG to get it ASAP. It's free, and it does it's job wonderfully!
Hi there
A number of users on our vBulletin forum at www.GT-Rider.com/thailand-motorcycle-forum/ are reporting "Blackhole exploits kit attacks."
Many reports list www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif as a problem, and/or another file in the images/statusicon/ directory. Neither GIF file exists... So far we've been unable to find anything on the site that appears to a genuine threat...
AVG is the only online checker that reports any issues at all...
Do you have any way to reliably srutinise our site? Its got both vBulletin forums and WordPress provides the outer CMS functions.
Kind regards
Ben
Webmaster / GT-Rider.com
Hi there
A number of users on our vBulletin forum at www.GT-Rider.com/thailand-motorcycle-forum/ are reporting "Blackhole exploits kit attacks."
Many reports list www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif as a problem, and/or another file in the images/statusicon/ directory. Neither GIF file exists... So far we've been unable to find anything on the site that appears to a genuine threat...
AVG is the only online checker that reports any issues at all...
Do you have any way to reliably srutinise our site? Its got both vBulletin forums and WordPress provides the outer CMS functions.
Kind regards
Ben
Webmaster / GT-Rider.com
@ben hxxp://www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif contains a malicious piece of javascript in head: [script type='text/javascript']var a=!1;if(!document.cookie.match(...
it create an invisible iframe to http://prick.it.pn/in.cgi?2
Hi Julien
Thanks for your input -the problem is, I cannot find that "hxxp://www.gt-rider.com/thailand-motorcycle-forum/images/editor/smilie.gif" file in the site...
Using Smart FTP - cannot see the file
Using Cpanel File Manager - can't see it...
Any ideas on what to do next? :-)
We did found and removed the Blackhole exploit kit in WordPres. in JavaScript within the CF7 Calendar plugin.
@Ben The page is a 404, meaning the file does not exist. The malicious code was inserted in the PHP template, or in the content stored in the database. You may want to look at the .htaccess files as well.
I log on to my space and BAM! BLACKHOLE POP UP. MY NORTON BLOCKED IT.
I got this on my forum as well. AVG said it blocked dreifo.in/index.php?showtopic=307515
AVG warns me that blackhole exploit kit is here:
http://samslovick.com/occupy-la/lapd-police-violence-at-occupy-la-m-17-video/
Hello I have recently recived a blackhole exploit for the first very time in repeated session on Modzilla Firefox broswer it seem to happen on my e-mail and just when turning it on is there anyway to remove the exploits? or is this something my Anti-virus can just keep blocking? because it very sell seems like its blocking one or two at a time and increasing then decreasing I usually run virus scan every night this is nuts.
I got a blackhole exploit for the first time today on Firefox is there a way to remove the exploit? also thank god for AVG, This seemed to happen upon opening my hotmail and just starting the broswer up period, it as also recently stopped attacking however I'm worried more so when its lying dorment...
I was attacked by this link! how do I remove it? " ox-d.served-now.com/w/1.0/afr?auid=249042&cb=7494790648218637 " is there a way to remove the black hole exploits?
lol, half of these "Anonymous" people claiming they were abot to get infected from homtmail are trolls
SourceFire claims they have detected a new version of the blackhole kit. What can you tell me about this latest version in comparison to the older version?
@Anonymizer: we have blogged about the new version of the Blackhole exploit kit at http://research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html
Post a Comment