Exploring the Black Hole Exploit Kit

Exploring the Black Hole Exploit Kit Updated December 20, 2011 Internet Identity Threat Intelligence Department http://www.internetidentity.com http://www.internetidentity.com 12/29/11 Page 1/20

Summary The Black Hole exploit kit is a web application designed to propagate and monitor malware. The kit provides administrative features that allow operators to monitor infection statistics in real time, as well as toolsets to configure landing pages and repack malicious payloads to avoid antivirus detection. Typically, through means such as spam, victims are lured to malicious or compromised websites, from which Black Hole launches a variety of attacks on common web browser vulnerabilities found in Java, Adobe Reader, and Flash plugins. The Threat Intel team gained access to and monitored a Black Hole kit operating in the wild. Through the kit s administration panel, analysts identified the referrers distributed via spam emails, the landing pages used to initiate the exploits, and the malicious binaries dropped onto victim machines. 1 This white paper summarizes the findings. 1 The Black Hole exploit kit labels URLs that redirect to malicious as referers http://www.internetidentity.com 12/29/11 Page 2/20

Forum Activity The user Legacy on the forum Damagelab.org advertised the original version of the Black Hole Exploit Kit v.1.0.0 beta on 02 September 2010. Legacy listed three individuals for potential clients to contact: Sales: Legacy, ICQ 363001 Program Support: Paunch, ICQ 343002 Team Lead: Naron, ICQ 895894 Figure 1 - Legacy's original post announcing release of Black Hole exploit kit Unlike other exploit kits, the source code for Black Hole is not for sale. Instead, potential clients have the option to lease the kit by purchasing different licenses ranging from $1,500 for one year, $1,000 for six months, or $700 for three months. It is also possible to rent the kit hosted on the author s server for a monthly fee of $500, or per week at $200. The Black Hole exploit kit has seen multiple updates since its original release. In a post dated 30 November 2011 on the forum Exploit.in, the user Paunch announced the most recent release v.1.2.1. Figure 2 - Paunch announcing the latest updates to BH Kit (Java Rhino exploit among others) http://www.internetidentity.com 12/29/11 Page 3/20

Spam All lures observed were initially sent out in spam campaigns generated by the Cutwail botnet. Each spam message contained a URL that lead to a compromised webpage. Said URLs are called redirectors or referers. We observed three different redirection techniques that lead to this particular Black Hole exploit kit: 1).htaccess 404 re- write 2) PHP script that loads iframe 3) JavaScript function evals to window.location redirect.htaccess 404 re- write Using an.htaccess re- write technique, the criminal is able append malicious JavaScript code to the 404 response page of the server. Said code writes an iframe to the page, which tells the browser to load the exploit kit. The benefit of this technique is that the attacker has an infinite number of URL combinations they can use, since every 404 response from the hacked website will return the appended JavaScript. More information and examples of an infected.htaccess file can be found on the Sucuri Blog. 2 Figure 3-404 page with malicious JavaScript appended 2.htaccess info: http://blog.sucuri.net/2011/05/understanding- htaccess- attacks- part- 1.html http://www.internetidentity.com 12/29/11 Page 4/20

Two distinct email campaigns one impersonating Bank of America and the other the IRS were observed using the.htaccess 404 re- write technique. 3 In the Bank of America spam campaign, emails appeared to be sent from email alert <email.alert@bankofamerica.com>'. Listed below are examples of the subject headers observed: Bank of America: Account CLOSED Bank of America: Action required Bank of America: Account CLOSED Bank of America: Bill Payment CANCELED Bank of America: Unauthorized charges Figure 4 - Bank of America email lure 3 StopMalvertising.com analysis of the Bank of America spam campaign: http://stopmalvertising.com/spam- scams/bank- of- america- account- alert- leads- to- blackhole- exploit- kit.html http://www.internetidentity.com 12/29/11 Page 5/20

In this attack, the email lures contained links to non- existent PDF files on the server: hxxp://aracelektronik.com/8239epeoiq88534.pdf hxxp://brandonwjohnson.com/8239epeoiq89534.pdf hxxp://dafitson.com/8239epeoiq89534.pdf hxxp://easterncuisinewales.com/8238epeoiq89534.pdf hxxp://guiameloncorp.com/8239epeoiq89634.pdf hxxp://kismetindianrestaurant.co.uk/82e9epeoiq89534.pdf hxxp://masteryao.com/8239epeoiq89534.pdf hxxp://nicksvac.com/8289epeoiq89534.pdf hxxp://sanseverocommunity.com/8239epeoiq89584.pdf hxxp://thewebsitedesignpeople.co.uk/3239epeoiq86534.pdf hxxp://www.easterncuisinewales.com/8239epeoiq89534.pdf By design, the server then returned an altered 404 page containing the obfuscated JavaScript, which then eval ed to an iframe in the browser: Figure 5 - Deobfuscated JavaScript with an iframe to exploit page http://www.internetidentity.com 12/29/11 Page 6/20

The IRS themed campaign functions in almost the exact same manner. Below is an example of one such email with the subject IRS: Fraud Alert : Figure 6 - IRS themed lure email This campaign utilized hundreds of compromised domains as lures, including but not limited to: hxxp://davidenocera.altervista.org/irsgov/reports/complaint/66n704bvvof hxxp://de.yachtexport.com.pl/irsgov/reports/complaint/66n704bvvof hxxp://digofone.com/irsgov/reports/complaint/65dhwptnb49s hxxp://foto1.hu/irsgov/reports/complaint/66n704bvvof hxxp://freebusinesscardtemplates.com.au/irsgov/reports/complaint/3rfhpmxubgib98 hxxp://freshmodels.pl/irsgov/reports/complaint/66n704hj399 hxxp://galadhwen.com/irsgov/reports/complaint/4d5623a04sf3 hxxp://gruppoaversente.it/irsgov/reports/complaint/no304ind893 hxxp://gruppoaversente.it/irsgov/reports/complaint/vad5nhv6w3doh hxxp://helyitermek.com/irsgov/reports/complaint/kl0929naike9 hxxp://hostelinflorence.com/irsgov/reports/complaint/f35704bvvof http://www.internetidentity.com 12/29/11 Page 7/20

Below are Black Hole campaigns associated with this technique: Campaign dbfe67780300732c 502c1fba7536692e 502c1fba7536692e Black Hole URL koiwoeqwcut.com/main.php?page=dbfe67780300732c domainsecurityvultest.in/main.php?page=502c1fba7536692e www123.pandasecuritycheck.com/main.php?page=502c1fba7536692e dbfe67780300732c was impersonating Bank of America and 502c1fba7536692e was IRS themed. PHP Script to iframe In the second technique, malicious PHP scripts were placed on compromised websites. While no spam samples were identified, the administration panel of the Black Hole exploit kit showed the following lures: hxxp://fnrtop.com/adinfo.php hxxp://lomaintech.com/adinfo.php hxxp://rawmercurymedia.com/adinfo.php hxxp://rendermode.com/adinfo.php hxxp://paradisewebhost.com/adinfo.php The following HTML code (an iframe to the Black Hole kit) loads into the browser of victims that click on one of the above URLs: Figure 7 - Response content of adinfo.php redirector Below are the Black Hole campaigns associated with this technique: Campaign Domain 68dfc2dfc10659c4 statistic- countervisitors.net/main.php?page=68dfc2dfc10659c4 c843774793f49d07 statistic- countervisitors.com/main.php?page=c843774793f49d07 dfb886473afec374 usa- server05.com/main.php?page=dfb886473afec374 095252abda552153 media- googlestat743.com/main.php?page=095252abda552153 ae5b527f10c01793 media- googlestat743.net/main.php?page=ae5b527f10c01793 http://www.internetidentity.com 12/29/11 Page 8/20

window.location Redirect The third technique, known as the window.location redirect, utilized hundreds of compromised domains as redirectors contained in a variety of spam emails. Many of the domains were also used in other spam campaigns as hosting platforms for other redirectors. Below is a personalized spam sample sent on 07 December 2011: Figure 8 - Spam sample from December 7th All personally identifiable information has been blotted out of the screenshot. Redirectors had the following format: hxxp://domain.tld/invoiceid- [0-9]{5}.html hxxp://bgoharbin.com/invoiceid- 16849.html hxxp://capital- humain.ca/invoiceid- 81417.html hxxp://neikiddo.com/invoiceid- 18168.html http://www.internetidentity.com 12/29/11 Page 9/20

Another wave of emails, sent December 13 th, contained subject lines like New Agreement for our group duo December 2nd 2011." 4 The redirectors had the following format: http://domain.tld/[0-9a- Z]{8}.html hxxp://bellomo.de/njai6evm.html hxxp://inmemoriam40-45.nl/ffcacg8g.html hxxp://dvat.doggen- vom- alten- traum.de/e33b1h21.html hxxp://curricolo.istruzioneferrara.it/4615370v.html hxxp://admin.youmks.cba.pl/0j1mf9zd.html hxxp://curricolo.istruzioneferrara.it/m57qr6mu.html The html pages contained obfuscated JavaScript that loaded the Black Hole kit using the window.location object. Figure 9 - JavaScript function returned by hacked page 4 Reference to email lure on Dynamoo s Blog: http://blog.dynamoo.com/2011/12/payroll- logs- spam.html http://www.internetidentity.com 12/29/11 Page 10/20

The browser eval s this JavaScript to the following: Figure 10 - window.location redirect code The Black Hole campaigns associated with this technique: Campaign 68dfc2dfc10659c4 68dfc2dfc10659c4 095252abda552153 Domain cms- wideopendns.com/main.php?page=68dfc2dfc10659c4 domainsecurityvultest.in/main.php?page=68dfc2dfc10659c4 checkmeforsecuryty.in/main.php?page=095252abda552153 Current status of the Black Hole domains Domain First Seen (PST) Current Status media- googlestat743.net 12/5/11 17:19 SERVFAIL statistic- countervisitors.com 12/5/11 18:06 SERVFAIL statistic- countervisitors.net 12/7/11 1:55 SERVFAIL usa- server05.com 12/7/11 4:51 SERVFAIL media- googlestat743.com 12/7/11 10:09 NXDOMAIN koiwoeqwcut.com 12/8/11 15:09 SERVFAIL checkmeforsecuryty.in 12/12/11 8:11 SERVFAIL domainsecurityvultest.in 12/13/11 1:51 NOERROR 5 cms- wideopendns.com 12/13/11 13:19 SERVFAIL www123.pandasecuritycheck.com 12/14/11 9:39 NOERROR yourpandasecuritycheck.com 12/16/11 2:56:51 NOERROR 5 domainsecurityvultest.in is suspended status is CLIENT HOLD. The domain utilizes the nameserver ns1.suspended- domain.com. http://www.internetidentity.com 12/29/11 Page 11/20

Black Hole exploit kit Infrastructure Analysis confirmed that this Black Hole kit was hosted at a fast- flux bullet- proof hosting provider. The short TTL, multiple A records, and distributed nameservers are indicators of a fast- flux botnet. A passive DNS lookup revealed 95 unique IPs for the month of December 2011. Figure 11 - Query results from the authoritative nameserver Figure 12 - Query results from our passive DNS database http://www.internetidentity.com 12/29/11 Page 12/20

Six of the 95 IPs at were randomly selected for closer analysis: IP Hostname Country ASN ISP 149.225.62.204 hdn1.deu.da.uu.net DE 702 Verizon Deutschland 187.160.105.219 pcs.intercable.net MX 11888 Television Internacional 2.140.84.231 dynamicip.rima- tde.net ES 3352 Telefonica España 174.116.30.130 cpe.net.cable.rogers.com CA 812 Rogers Cable 77.180.6.89 pool.mediaways.net DE 6805 Telefonica o2 Deutschland 83.97.178.70 cm- 83-97- 178-70.telecable.es ES 12946 TeleCable All of the IPs are residential broadband accounts spread across the globe, strong indicators of a botnet. The evidence clearly shows that the Black Hole kit is hosted behind a fast- flux botnet. In short, the Black Hole kit is hiding behind a botnet of proxy servers, but the proxy servers are all infected computers. The diagram below shows how the whole operation works. Note that the Black Hole exploit kit sits on criminal server behind the fast- flux proxy network. Figure 13: Infrastructure of the Black Hole exploit kit http://www.internetidentity.com 12/29/11 Page 13/20

Malware (Payloads) Analysis shows that all but one of the samples listed above are the same binary slightly altered by basic packer obfuscation. These binaries are all variants of the Cridex trojan. 67 MD5 DESCRIPTION FIRST SEEN VT SCORE 5520646bf391e746529f4f87098a20f1 Cridex 12/13 1/43 03418610ecbf563d13cccbc8cc6de0d9 Cridex 12/12 5/43 0113d1dee4c981b64fb9342a66ba81bb Cridex 12/7 2/43 27e403df66918fbbd2692957bacd8492 Cridex 12/6 22/43 8ff7ab0264af8ce3d551a4924d434477 Cridex 12/5 4/43 d41d8cd98f00b204e9800998ecf8427e Empty file 12/5 NA Figure 14 - Some of the malware samples dropped 6 The Cridex trojan is a keylogger designed to obtain victim banking credentials. 7 http://blogs.technet.com/b/mmpc/archive/2011/11/10/msrt- nov- 11- cridex- the- hex- of- skidlo.aspx http://www.internetidentity.com 12/29/11 Page 14/20

Anti- White Hat Techniques The criminals operating this Black Hole kit made considerable efforts to protect their investment and maximize efficiency of their operation. They opted to host their exploit kit at a fast- flux botnet hosting provider in order to hide their exploit kit behind a proxy network (see Figure 15). Also, they are blocking IPs and referers that they believe are used by white hat researchers to track malware systems. The blocking mechanism appears to be block directives in the.htaccess config, however, this functionality is built directly into the Black Hole admin panel: Figure 15 Black List http://www.internetidentity.com 12/29/11 Page 15/20

Statistics This section provides a glimpse into the Black Hole control panel from the vantage point of the criminal operators. Country Statistics Analysis of the statistics confirmed that the criminal actors were targeting only the United States, Germany, and Italy. Though it appears that the primary focus was victims in the United States. Figure 16 - Statistics based on country For clarification, the first column is country, the second column is hits, the third column is successful exploits, and the fourth column is successful infections. http://www.internetidentity.com 12/29/11 Page 16/20

Exploit Statistics The most commonly used exploit is the newly added Java Rhino exploit [CVE- 2011-3544]. This exploit will work on all browsers and across every operating system. Browser Statistics Figure 17 - Exploit statistics There were many successful exploits of Safari and Chrome, but no successful malware installs. The most vulnerable browser is Firefox with a 60% exploit rate, followed by Internet Explorer with a 40% exploit rate. Figure 18 - Browser statistics http://www.internetidentity.com 12/29/11 Page 17/20

Operating System Statistics The statistics panel shows that the most vulnerable and prevalent operating system is Windows XP. Overall Statistics Figure 19 - Operating system statistics The overall statistics section shows the total number of hosts infected by this Black Hole exploit kit. Figure 20 - Overall statistics http://www.internetidentity.com 12/29/11 Page 18/20

Post- Exploit Traffic Direction After the exploit code is run, users are forwarded to the following domains: commercialday- net.com jdemponedelnik.bij.pl commercialday- net.com is suspended (domain status CLIENT HOLD ) and jdemponedelnik.bij.pl appears to redirect to an Incognito exploit kit. The purpose of this traffic direction is unclear. Figure 21 - Campaign monitoring page http://www.internetidentity.com 12/29/11 Page 19/20

Administrator Connections Administrator connections to the exploit kit admin panel were established from the following IPs: IP COUNTRY HOSTNAME ISP 64.34.170.56 US server80.it4business.ca PEER 1 72.26.47.165 US dns2.raymondvilleisd.org VTXC 95.211.43.6 NL N/A LEASEWEB 128.241.236.79 US N/A NTT 178.162.160.36 DE evrohoster.com LEASEWEB 209.190.7.138 US 8a.7.be.static.xlhost.com XLHOST.COM 78.159.121.172 DE N/A LEASEWEB 178.168.37.181 MD 178-168- 37-181.starnet.md STARNET 212.7.207.199 NL 12.7.207.199.local DEDISERV 213.5.182.123 GB N/A RACKSRV Most of these IPs appear to be VPS or VPN servers. http://www.internetidentity.com 12/29/11 Page 20/20