Web Threat Evolution: Black HoleToolkit. It is currently ranked 1 in the world for online threats(In year 2013).
Malicious hackers sometimes use toolkits, pre-packaged pieces of computer code, which make it very easy to distribute malware, infect websites with it and then perform specific malicious activities with the now compromised site(s).
The strain of malware which we will discuss is related to a toolkit popularly known as the Blackhole Toolkit. This toolkit has been available for some time now and researchers have noted the same.
Malicious hackers are infecting websites in droves using new kinds of malware. Websites are the newest malware battleground. Benign websites are being compromised and infected by hackers in order to infect their visitors. In the vast majority of cases, the affected website owners are completely oblivious to the fact that a malicious hacker has used their website to infect their visitors.
Blackhole Toolkit was developed by Anonymous Russian Hacker Group.
Core Language of Development: PHP.
Payload: Java Based Components.
Uses Website Traffic to get access of other Systems(Victims).
Hacker Attacks Web Hosting Servers.
Blackhole Exploit Kit is a threat that is spreading. It is currently ranked 1 in the world for online threats(In year 2013). Blackhole Exploit Kit has been detected by AVG on victims' machines in 218 countries during the last month. There are currently 50759 websites in 145 countries that host Blackhole Exploit Kit.
2. Malicious hackers sometimes use toolkits, pre-
packaged pieces of computer code, which make
it very easy to distribute malware, infect websites
with it and then perform specific malicious
activities with the now compromised site(s).
The strain of malware which we will discuss is
related to a toolkit popularly known as the
Blackhole Toolkit. This toolkit has been available
for some time now and researchers have noted
the same.
Deep Mehta 8th IT
3. Malicious hackers are infecting websites in
droves using new kinds of malware. Websites
are the newest malware battleground. Benign
websites are being compromised and infected
by hackers in order to infect their visitors. In
the vast majority of cases, the affected
website owners are completely oblivious to
the fact that a malicious hacker has used
their website to infect their visitors.
Deep Mehta 8th IT
4. Version Release date
2.0 09/2012
1.2.5 07/30/2012
1.2.4 07/11/2012
1.2.3 03/28/2012
1.2.2 02/26/2012
1.2.1 12/09/2011
1.2.0 11/09/2011
1.1.0 06/26/2011
1.0.2 11/20/2010
1.0.0 beta 08/2010
Blackhole Toolkit was
developed by Anonymous
Russian Hacker Group.
Core Language of
Development: PHP.
Payload: Java Based
Components.
Uses Website Traffic to get
access of other
Systems(Victims).
Hacker Attacks Web
Hosting Servers.
Deep Mehta 8th IT
5. Blackhole Exploit Kit is caused by a
code that can be hacked into a
webpage. When you browse to a
webpage with Blackhole Exploit Kit, it
will identify and make use of the
vulnerabilities in your internet
browser/plugins and force adware,
phishing programs or any other type
of fraudulent software to be installed
on your device.
Blackhole Exploit Kit is a threat that is
spreading. It is currently ranked 1 in
the world for online threats. Blackhole
Exploit Kit has been detected by AVG
on victims' machines in 218 countries
during the last month. There are
currently 50759 websites in 145
countries that host Blackhole Exploit
Kit.
Deep Mehta 8th IT
7. The leading clue was the file
named 27 in the file upload
directory. This is the location
where new executable
payloads are uploaded for
further distribution to the
infected endpoints.
This file was not something
one would generally expect
to find there: not the usual
botnet executable or
keylogger installer, which are
generally observed as
payloads, but a copy of the
infamous C99Shell backdoor,
which is the most popular
tool of choice for hacking
into websites.
Deep Mehta 8th IT
8. Unsuspecting Internet surfers visit websites harboring malicious IFrame tags
Users are then redirected to servers which load malicious payloads via
browser exploits or PDF, SWF based exploits
Often, a malicious JAR file is downloaded on the PC of the unsuspecting
client
This JAR file contains malicious URLs which download further malware
The downloaded trojan(s) can post a unique ID to a command-and-control
server
The trojan then posts a list of the running processes on the victim’s
computer to the server
The following three plugins are then downloaded:
stopav.plug – Tries to disable the antivirus installed on the victim’s computer
passw.plug – Log username/password combinations for connections being
made
miniav.plug – Tries to delete copies of Zeus bots on the computer to prevent
competition amongst malware on victim’s computer
Finally, a fake Anti-Virus program is downloaded to the victim’s computer.
Deep Mehta 8th IT
9. Initial vector:The victim is supplied with a carrier which offers a hyperlink to initiate
the chain of events.
Redirections:The hyperlink from the previous stage is redirected through intermediate
sites to make tracing of the attack complicated.
Mainfile:The hosting server is contacted and the server code collects and distributes
the set of exploit functions for the targeted host.
Downloadfile:After any of the served exploits from the previous phase activated, its
downloader code (shellcode or script) connects back and the server code distributes
the binary (Win32) executable payload.
Deep Mehta 8th IT
11. spl0: empty 14
spl1: missing 14
spl2: MDAC exploit MS06-
01415
spl3: PDF 15
spl4: Windows Help and
Support Center Vulnerability
18
spl5: Flash- CVE-2011-
061118
spl6: Flash CVE-2011-
211019
spl7: XML Core Services -
CVE-2012-1889 20
NOJS: Java – CVE-2010-
0840e
Operating system
Web browser name and
browser version
Adobe Flash version
Adobe Reader version
Java version
QuickTime
DevalVR
Shockwave
Windows Media Player
Silverlight
VLC Player
RealPlayer
Deep Mehta 8th IT