Home / malware Blacole
First posted on 04 January 2012.
Source: MicrosoftAliases :
Blacole is also known as Blackhole Exploit Pack (other), BlacoleRef (other).
Explanation :
Blacole , also known as the "Blackhole" exploit pack, is found on a compromised server and is installed there by an attacker by using one of many attack methods to gain access to the affected server. This exploit is a malicious JavaScript that loads a series of other exploits in order to deliver a payload. If a vulnerable computer browses a compromised website containing the exploit pack, various malware may be downloaded and run.
Top
Blacole , also known as the "Blackhole" exploit pack, is found on a compromised server and is installed there by an attacker by using one of many attack methods to gain access to the affected server. This exploit is a malicious JavaScript that loads a series of other exploits in order to deliver a payload. If a vulnerable computer browses a compromised website containing the exploit pack, various malware may be downloaded and run.
Installation
Blacole may be encountered when a user visits a malicious webpage using a computer with vulnerable software installed. The attack code is heavily obfuscated to hinder analysis and rudimentary detection methods, and uses code exploits for known software vulnerabilities in the Sun Java platform, and in Adobe applications such as Adobe Reader and Adobe Acrobat. The following are detection names that have connections to the Blacole malware family:
- Exploit:JS/BlacoleRef
- Exploit:Win32/Pdfjsc
- Exploit:Win32/Pidief
- Exploit:Win32/Java
- Exploit:Win32/SWF
- Exploit:JS/Mult
- Trojan:JS/Redirector
- TrojanDownloader:HTML/Adodb
- Exploit:JS/ShellCode
Through iterations and development of the Blacole exploit pack, the malware attempts to exploit several of the following vulnerabilities:
- CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
- CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
- CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
- CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code
- CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
- CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
- CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
- CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
- CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
- CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin
- CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
- CVE-2010-3552 - Sun Java Runtime New Plugin docbase Buffer Overflow (aka "Java Skyline exploit")
- CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
- CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability
- CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier
The following is a list of some detections that specifically identify exploit code related to the exploit methods mentioned above and used by Blacole:
- Exploit:JS/CVE20075659
- Exploit:Java/CVE-2010-0842 , Exploit:Java/Midesq.A, Exploit:JS/Mult.DJ
- Exploit:Java/CVE-2010-0886 , Exploit:JS/CVE-2010-0886, Exploit:JS/Shiep.A, Exploit:JS/Mult.DU, Exploit:JS/ShellCode.O
- Exploit:Java/CVE-2010-3552 , Exploit:JS/Mult.DX
- Exploit:Java/CVE-2010-4452 , Exploit:JS/CVE-2010-4452, Exploit:HTML/CVE-2010-4452
- Exploit:Java/CVE-2011-3544
- Exploit:SWF/CVE-2011-2110
- Exploit:Win32/CVE-2008-2992 , Exploit:Win32/Pidief.B
- Exploit:Win32/CVE-2010-0188 , Exploit:Win32/Pdfjsc
- Exploit:Java/CVE-2010-0840
- Exploit:Win32/CVE-2010-1885 , Exploit:JS/ShellCode.P, TrojanDownloader:JS/Adodb.F
The following is an example of a typical user experience when browsing a webpage that contains the malicious code:
In the background, the compromised webpage uses an IFrame to redirect the browser and execute a malicious server-side .PHP script on another compromised web server. The following are examples of the script request and format:
- <site name>/main.php?page=43842ba0d45a9da3
- <site name>/main.php?page=8eac7226b6b12c7d
- <site name>/main.php?page=abfd0d069b45c17e
- <site name>/main.php?page=977334ca118fcb8c
- <site name>/i.php?f=16&e=3
The compromised server typically hosts other malware in folders created by an attacker. The other malware uses the following file formats and attempts to exploit related applications to execute its payload:
- Adobe Shockwave
- Adobe Acrobat
- Adobe PDF Reader
- Java Runtime Environment (JRE)
The following are in-the-wild examples of malware hosted on a compromised server, and that are executed by the Blacole exploit pack:
- <domain>/content/v1.jar - Exploit:Java/Blacole.CE
- <domain>/content/g43kb6j34kblq6jh34kb6j3kl4.jar - Exploit:Java/CVE-2010-0840.NK
- <domain>/content/1ddfp.php?f=35 - Exploit:Win32/Pdfjsc.YP
- <domain>/content/2ddfp.php?f=35 - Exploit:Win32/Pdfjsc.YP
Payload
Loads exploit files
Blacole may load various exploits based on what software is vulnerable in the computer. These exploits include:
- Exploit:Java/CVE-2010-0840.EW
- Exploit:Win32/Pdfjsc.RF
- Exploit:Win32/Pdfjsc.RM
Blacole may be downloaded as a DLL file on the affected computer, as in the following common example:
- %Temp%\wpbt0.dll
The downloaded malware file is executed locally by running the following command:
- regsvr32 -s wpbt0.dll
The observed downloaded families include:
Additional information
- Backdoor:Win32/Simda , Trojan:Win32/Simda
- Rogue:Win32/Winwebsec
- Trojan:Win32/Lockscreen.BO
- Trojan:Win32/Ransom.FL
- Trojan:WinNT/Rootkit
- Win32/Sirefef
- Worm:Win32/Cridex
- Worm:Win32/Gamarue
- Win32/EyeStye
- Win32/FakeSysdef
- Win32/Meteit
- Win32/Carberp
- Win32/Drstwex
- Win32/Cutwail
- Win32/Cycbot
- Win32/FakeRean
- Win32/Zbot
- Win32/Sinowal
The Blackhole exploit pack is sold to attackers for profit. Thus, attackers are motivated to use the attack code to distribute the following types of malware in oder to offset the financial overhead of the Blacole exploit pack:
- Online banking password stealers
- Rogue security software
- Backdoor trojans to leverage additional theft
You can read more about Blacole related malware in the following MMPC blog articles:
- Get gamed and rue the day...
- Disorderly conduct: localized malware impersonates the police
Analysis by Shawn Wang & Patrick Nolan
Last update 04 January 2012