Exploring the Black Hole Exploit Kit

Transcription

1 Exploring the Black Hole Exploit Kit Updated December 20, 2011 Internet Identity Threat Intelligence Department /29/11 Page 1/20

2 Summary The Black Hole exploit kit is a web application designed to propagate and monitor malware. The kit provides administrative features that allow operators to monitor infection statistics in real time, as well as toolsets to configure landing pages and repack malicious payloads to avoid antivirus detection. Typically, through means such as spam, victims are lured to malicious or compromised websites, from which Black Hole launches a variety of attacks on common web browser vulnerabilities found in Java, Adobe Reader, and Flash plugins. The Threat Intel team gained access to and monitored a Black Hole kit operating in the wild. Through the kit s administration panel, analysts identified the referrers distributed via spam s, the landing pages used to initiate the exploits, and the malicious binaries dropped onto victim machines. 1 This white paper summarizes the findings. 1 The Black Hole exploit kit labels URLs that redirect to malicious as referers 12/29/11 Page 2/20

3 Forum Activity The user Legacy on the forum Damagelab.org advertised the original version of the Black Hole Exploit Kit v beta on 02 September Legacy listed three individuals for potential clients to contact: Sales: Legacy, ICQ Program Support: Paunch, ICQ Team Lead: Naron, ICQ Figure 1 - Legacy's original post announcing release of Black Hole exploit kit Unlike other exploit kits, the source code for Black Hole is not for sale. Instead, potential clients have the option to lease the kit by purchasing different licenses ranging from $1,500 for one year, $1,000 for six months, or $700 for three months. It is also possible to rent the kit hosted on the author s server for a monthly fee of $500, or per week at $200. The Black Hole exploit kit has seen multiple updates since its original release. In a post dated 30 November 2011 on the forum Exploit.in, the user Paunch announced the most recent release v Figure 2 - Paunch announcing the latest updates to BH Kit (Java Rhino exploit among others) 12/29/11 Page 3/20

4 Spam All lures observed were initially sent out in spam campaigns generated by the Cutwail botnet. Each spam message contained a URL that lead to a compromised webpage. Said URLs are called redirectors or referers. We observed three different redirection techniques that lead to this particular Black Hole exploit kit: 1).htaccess 404 re- write 2) PHP script that loads iframe 3) JavaScript function evals to window.location redirect.htaccess 404 re- write Using an.htaccess re- write technique, the criminal is able append malicious JavaScript code to the 404 response page of the server. Said code writes an iframe to the page, which tells the browser to load the exploit kit. The benefit of this technique is that the attacker has an infinite number of URL combinations they can use, since every 404 response from the hacked website will return the appended JavaScript. More information and examples of an infected.htaccess file can be found on the Sucuri Blog. 2 Figure page with malicious JavaScript appended 2.htaccess info: htaccess- attacks- part- 1.html 12/29/11 Page 4/20

5 Two distinct campaigns one impersonating Bank of America and the other the IRS were observed using the.htaccess 404 re- write technique. 3 In the Bank of America spam campaign, s appeared to be sent from alert < .alert@bankofamerica.com>'. Listed below are examples of the subject headers observed: Bank of America: Account CLOSED Bank of America: Action required Bank of America: Account CLOSED Bank of America: Bill Payment CANCELED Bank of America: Unauthorized charges Figure 4 - Bank of America lure 3 StopMalvertising.com analysis of the Bank of America spam campaign: scams/bank- of- america- account- alert- leads- to- blackhole- exploit- kit.html 12/29/11 Page 5/20

6 In this attack, the lures contained links to non- existent PDF files on the server: hxxp://aracelektronik.com/8239epeoiq88534.pdf hxxp://brandonwjohnson.com/8239epeoiq89534.pdf hxxp://dafitson.com/8239epeoiq89534.pdf hxxp://easterncuisinewales.com/8238epeoiq89534.pdf hxxp://guiameloncorp.com/8239epeoiq89634.pdf hxxp://kismetindianrestaurant.co.uk/82e9epeoiq89534.pdf hxxp://masteryao.com/8239epeoiq89534.pdf hxxp://nicksvac.com/8289epeoiq89534.pdf hxxp://sanseverocommunity.com/8239epeoiq89584.pdf hxxp://thewebsitedesignpeople.co.uk/3239epeoiq86534.pdf hxxp:// By design, the server then returned an altered 404 page containing the obfuscated JavaScript, which then eval ed to an iframe in the browser: Figure 5 - Deobfuscated JavaScript with an iframe to exploit page 12/29/11 Page 6/20

7 The IRS themed campaign functions in almost the exact same manner. Below is an example of one such with the subject IRS: Fraud Alert : Figure 6 - IRS themed lure This campaign utilized hundreds of compromised domains as lures, including but not limited to: hxxp://davidenocera.altervista.org/irsgov/reports/complaint/66n704bvvof hxxp://de.yachtexport.com.pl/irsgov/reports/complaint/66n704bvvof hxxp://digofone.com/irsgov/reports/complaint/65dhwptnb49s hxxp://foto1.hu/irsgov/reports/complaint/66n704bvvof hxxp://freebusinesscardtemplates.com.au/irsgov/reports/complaint/3rfhpmxubgib98 hxxp://freshmodels.pl/irsgov/reports/complaint/66n704hj399 hxxp://galadhwen.com/irsgov/reports/complaint/4d5623a04sf3 hxxp://gruppoaversente.it/irsgov/reports/complaint/no304ind893 hxxp://gruppoaversente.it/irsgov/reports/complaint/vad5nhv6w3doh hxxp://helyitermek.com/irsgov/reports/complaint/kl0929naike9 hxxp://hostelinflorence.com/irsgov/reports/complaint/f35704bvvof 12/29/11 Page 7/20

8 Below are Black Hole campaigns associated with this technique: Campaign dbfe c 502c1fba e 502c1fba e Black Hole URL koiwoeqwcut.com/main.php?page=dbfe c domainsecurityvultest.in/main.php?page=502c1fba e www123.pandasecuritycheck.com/main.php?page=502c1fba e dbfe c was impersonating Bank of America and 502c1fba e was IRS themed. PHP Script to iframe In the second technique, malicious PHP scripts were placed on compromised websites. While no spam samples were identified, the administration panel of the Black Hole exploit kit showed the following lures: hxxp://fnrtop.com/adinfo.php hxxp://lomaintech.com/adinfo.php hxxp://rawmercurymedia.com/adinfo.php hxxp://rendermode.com/adinfo.php hxxp://paradisewebhost.com/adinfo.php The following HTML code (an iframe to the Black Hole kit) loads into the browser of victims that click on one of the above URLs: Figure 7 - Response content of adinfo.php redirector Below are the Black Hole campaigns associated with this technique: Campaign Domain 68dfc2dfc10659c4 statistic- countervisitors.net/main.php?page=68dfc2dfc10659c4 c f49d07 statistic- countervisitors.com/main.php?page=c f49d07 dfb886473afec374 usa- server05.com/main.php?page=dfb886473afec abda media- googlestat743.com/main.php?page=095252abda ae5b527f10c01793 media- googlestat743.net/main.php?page=ae5b527f10c /29/11 Page 8/20

9 window.location Redirect The third technique, known as the window.location redirect, utilized hundreds of compromised domains as redirectors contained in a variety of spam s. Many of the domains were also used in other spam campaigns as hosting platforms for other redirectors. Below is a personalized spam sample sent on 07 December 2011: Figure 8 - Spam sample from December 7th All personally identifiable information has been blotted out of the screenshot. Redirectors had the following format: hxxp://domain.tld/invoiceid- [0-9]{5}.html hxxp://bgoharbin.com/invoiceid html hxxp://capital- humain.ca/invoiceid html hxxp://neikiddo.com/invoiceid html 12/29/11 Page 9/20

10 Another wave of s, sent December 13 th, contained subject lines like New Agreement for our group duo December 2nd 2011." 4 The redirectors had the following format: Z]{8}.html hxxp://bellomo.de/njai6evm.html hxxp://inmemoriam40-45.nl/ffcacg8g.html hxxp://dvat.doggen- vom- alten- traum.de/e33b1h21.html hxxp://curricolo.istruzioneferrara.it/ v.html hxxp://admin.youmks.cba.pl/0j1mf9zd.html hxxp://curricolo.istruzioneferrara.it/m57qr6mu.html The html pages contained obfuscated JavaScript that loaded the Black Hole kit using the window.location object. Figure 9 - JavaScript function returned by hacked page 4 Reference to lure on Dynamoo s Blog: logs- spam.html 12/29/11 Page 10/20

11 The browser eval s this JavaScript to the following: Figure 10 - window.location redirect code The Black Hole campaigns associated with this technique: Campaign 68dfc2dfc10659c4 68dfc2dfc10659c abda Domain cms- wideopendns.com/main.php?page=68dfc2dfc10659c4 domainsecurityvultest.in/main.php?page=68dfc2dfc10659c4 checkmeforsecuryty.in/main.php?page=095252abda Current status of the Black Hole domains Domain First Seen (PST) Current Status media- googlestat743.net 12/5/11 17:19 SERVFAIL statistic- countervisitors.com 12/5/11 18:06 SERVFAIL statistic- countervisitors.net 12/7/11 1:55 SERVFAIL usa- server05.com 12/7/11 4:51 SERVFAIL media- googlestat743.com 12/7/11 10:09 NXDOMAIN koiwoeqwcut.com 12/8/11 15:09 SERVFAIL checkmeforsecuryty.in 12/12/11 8:11 SERVFAIL domainsecurityvultest.in 12/13/11 1:51 NOERROR 5 cms- wideopendns.com 12/13/11 13:19 SERVFAIL www123.pandasecuritycheck.com 12/14/11 9:39 NOERROR yourpandasecuritycheck.com 12/16/11 2:56:51 NOERROR 5 domainsecurityvultest.in is suspended status is CLIENT HOLD. The domain utilizes the nameserver ns1.suspended- domain.com. 12/29/11 Page 11/20

12 Black Hole exploit kit Infrastructure Analysis confirmed that this Black Hole kit was hosted at a fast- flux bullet- proof hosting provider. The short TTL, multiple A records, and distributed nameservers are indicators of a fast- flux botnet. A passive DNS lookup revealed 95 unique IPs for the month of December Figure 11 - Query results from the authoritative nameserver Figure 12 - Query results from our passive DNS database 12/29/11 Page 12/20

13 Six of the 95 IPs at were randomly selected for closer analysis: IP Hostname Country ASN ISP hdn1.deu.da.uu.net DE 702 Verizon Deutschland pcs.intercable.net MX Television Internacional dynamicip.rima- tde.net ES 3352 Telefonica España cpe.net.cable.rogers.com CA 812 Rogers Cable pool.mediaways.net DE 6805 Telefonica o2 Deutschland cm telecable.es ES TeleCable All of the IPs are residential broadband accounts spread across the globe, strong indicators of a botnet. The evidence clearly shows that the Black Hole kit is hosted behind a fast- flux botnet. In short, the Black Hole kit is hiding behind a botnet of proxy servers, but the proxy servers are all infected computers. The diagram below shows how the whole operation works. Note that the Black Hole exploit kit sits on criminal server behind the fast- flux proxy network. Figure 13: Infrastructure of the Black Hole exploit kit 12/29/11 Page 13/20

14 Malware (Payloads) Analysis shows that all but one of the samples listed above are the same binary slightly altered by basic packer obfuscation. These binaries are all variants of the Cridex trojan. 67 MD5 DESCRIPTION FIRST SEEN VT SCORE bf391e746529f4f87098a20f1 Cridex 12/13 1/ ecbf563d13cccbc8cc6de0d9 Cridex 12/12 5/ d1dee4c981b64fb9342a66ba81bb Cridex 12/7 2/43 27e403df66918fbbd bacd8492 Cridex 12/6 22/43 8ff7ab0264af8ce3d551a4924d Cridex 12/5 4/43 d41d8cd98f00b204e ecf8427e Empty file 12/5 NA Figure 14 - Some of the malware samples dropped 6 The Cridex trojan is a keylogger designed to obtain victim banking credentials. 7 nov- 11- cridex- the- hex- of- skidlo.aspx 12/29/11 Page 14/20

15 Anti- White Hat Techniques The criminals operating this Black Hole kit made considerable efforts to protect their investment and maximize efficiency of their operation. They opted to host their exploit kit at a fast- flux botnet hosting provider in order to hide their exploit kit behind a proxy network (see Figure 15). Also, they are blocking IPs and referers that they believe are used by white hat researchers to track malware systems. The blocking mechanism appears to be block directives in the.htaccess config, however, this functionality is built directly into the Black Hole admin panel: Figure 15 Black List 12/29/11 Page 15/20

16 Statistics This section provides a glimpse into the Black Hole control panel from the vantage point of the criminal operators. Country Statistics Analysis of the statistics confirmed that the criminal actors were targeting only the United States, Germany, and Italy. Though it appears that the primary focus was victims in the United States. Figure 16 - Statistics based on country For clarification, the first column is country, the second column is hits, the third column is successful exploits, and the fourth column is successful infections. 12/29/11 Page 16/20

17 Exploit Statistics The most commonly used exploit is the newly added Java Rhino exploit [CVE ]. This exploit will work on all browsers and across every operating system. Browser Statistics Figure 17 - Exploit statistics There were many successful exploits of Safari and Chrome, but no successful malware installs. The most vulnerable browser is Firefox with a 60% exploit rate, followed by Internet Explorer with a 40% exploit rate. Figure 18 - Browser statistics 12/29/11 Page 17/20

18 Operating System Statistics The statistics panel shows that the most vulnerable and prevalent operating system is Windows XP. Overall Statistics Figure 19 - Operating system statistics The overall statistics section shows the total number of hosts infected by this Black Hole exploit kit. Figure 20 - Overall statistics 12/29/11 Page 18/20

19 Post- Exploit Traffic Direction After the exploit code is run, users are forwarded to the following domains: commercialday- net.com jdemponedelnik.bij.pl commercialday- net.com is suspended (domain status CLIENT HOLD ) and jdemponedelnik.bij.pl appears to redirect to an Incognito exploit kit. The purpose of this traffic direction is unclear. Figure 21 - Campaign monitoring page 12/29/11 Page 19/20

20 Administrator Connections Administrator connections to the exploit kit admin panel were established from the following IPs: IP COUNTRY HOSTNAME ISP US server80.it4business.ca PEER US dns2.raymondvilleisd.org VTXC NL N/A LEASEWEB US N/A NTT DE evrohoster.com LEASEWEB US 8a.7.be.static.xlhost.com XLHOST.COM DE N/A LEASEWEB MD starnet.md STARNET NL local DEDISERV GB N/A RACKSRV Most of these IPs appear to be VPS or VPN servers. 12/29/11 Page 20/20