TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... At the 2007 Black Hat Briefings in Las Vegas, TippingPoint DVLabs had five speakers presenting on a variety of topics.

BlackHole Exploit Kit


BlackHole exploit kit is yet another in an ongoing wave of attack toolkits flooding the underground market. The kit first appeared on the crimeware market in September of 2010 and ever since then has quickly been gaining market share over its vast number of competitors. In fact, many antivirus vendors now claim that this is one of the most prevalent exploit kits used in the wild.  Even Malware Domain List is showing quite a few domains infected with the BlackHole exploit kit. So what is it that makes this attack toolkit stand out above the rest?

While the number of reported infections by BlackHole kit is indeed impressive we think there is nothing truly revolutionary about this exploit kit. Part of its newfound success can be attributed to its rich feature set which it shares in common with myriad of other recent exploit kits such as Siberia Exploit Kit. The other major factor contributing to its success is its flexible pricing scheme. Unlike some other kits out there BlackHole uses a timed licensing plan. Users can purchase the annual license for $1500, semi-annual license for $1000, or just a quarterly license for $700. The license includes free software updates for the duration of the contract. For those malicious users with a commitment phobia the makers of the kit offer yet another solution. You can rent the kit (on the author’s servers) for $50 for 24 hours, $200 for 1 week, $300 for 2 weeks, $400 for 3 week, and $500 for 4 weeks. A domain name comes included with the rental agreement, but should you desire to change it you need to pay another $35. There’s also an array of other “services” such as changing the encryption method, which can be purchased by users on demand should the need arise. Another popular service is an AV checker that allows you to scan your payload files to make sure they’re not detected by any AV vendors. This service is very similar to VirusTotal, except its aimed for criminals because uploaded test files are not reported to any AV vendors. Yet another paid service is a domain change. Should your domain get blacklisted by any security vendors you can pay a small fee to have it changed.

One highly touted feature of BlackHole toolkit is its TDS or Traffic Direction Script. While this is not an entirely new concept in attack toolkits the TDS included her is much more sophisticated and powerful than those in other kits. A TDS is basically an engine that allows redirection of traffic through a set of rules. For example, a user can set up a set of rules that redirect flow to different landing pages on their domain. These rules could be based on operating system, browser, country of origin, exploit, files, etc. One rule might redirect traffic to page A for all users that are running Windows OS from XP to Vista and running IE 8, while another rule can redirect Windows 7 users to page B. Those were just simple example rules. More advanced rules could set expiration dates for certain payloads and replace them with new ones when the date is reached. The TDS included in BlackHole even goes the extra step and allows you to create traffic flows based on these rules and provides management interface for the flows. A savvy malicious user with a lot of experience could easily utilize this rule engine to increase their infection numbers.

From a web application standpoint BlackHole is built just like other kits, consisting of a PHP and MySQL backend. Since the majority of web servers run on the LAMP stack this enabled for very easy application deployment. The user interface for this kit is a cut about the rest, and it definitely looks nicer than almost any other attack kit we’ve analyzed. It resembles some of the best legitimate web apps we see in the world of commercial software.

Here’s a screenshot that shows various payloads delivered by this kit instance along with hit stats and other details:

Here’s another screenshot that shows the security module of BlackHole. This allows you to blacklist any addresses that you don’t want poking around your exploit kit.

As with any exploit kit this one comes pre-packaged with a bunch of exploits. Below is a list of CVEs that correspond to exploits packaged with BlackHole:

  • CVE-2010-1885   HCP
  • CVE-2010-1423   Java argument injection vulnerability in the URI handler in Java NPAPI plugin
  • CVE-2010-0886   Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
  • CVE-2010-0842   Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
  • CVE-2010-0840   Java trusted Methods Chaining Remote Code Execution Vulnerability
  • CVE-2009-1671   Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
  • CVE-2009-0927   Adobe Reader Collab GetIcon
  • CVE-2008-2992   Adobe Reader util.printf
  • CVE-2007-5659   Adobe Reader CollectEmailInfo
  • CVE-2006-0003   IE MDAC

Some of these exploits are pretty old, one even dating back to 2006 but that doesn’t mean that they’re not still effective. Take a look at these infection screens taken from the stats module.

Here’s a screenshot showing infection statistics sorted by exploit:

And here we have infection rates sorted by browser:

The following shows infection statistics organized by operating system:

As you can see some of the infection rates recorded in BlackHole kits are very high. Its worth noting that most of the CVEs found in BlackHole are also found in other exploit toolkits. However, what is interesting in this toolkit is the fact it uses Java OBE (in form of a JAR file) to serve up Java exploits. Java OBE (Open Business Engine) is a flexible, modular, standards-compliant open source Java workflow engine. This is something we haven’t seen before as other toolkits have not used open source projects like the OBE in the past. The exploits served by Java OBE are CVE-2010-0840 and CVE-2010-0842.

The attack typically works as follows. A victim visits an infected domain which has an iFrame pointing to the server hosting the exploit kit. BlackHole’s TDS, which we talked earlier, automatically directs the traffic to an exploit that would be most likely to work on the victim’s machine. That could be the Java OBE, IE, Adobe Reader, or any other exploit included. Chances are one of the Java exploits will be used, especially given the fact that 50% of exploits in this kit are Java based. If exploitation is successful malicious payload is delivered to the machine. The payload most often downloaded is the Carberp trojan. Carberp is a very dangerous trojan often compared to the likes of Zeus and has been gaining in popularity lately. Once Carberp is successfully installed on the machine it starts to talk to its C&C server from which it downloads additional modules. It downloads the following:

  1. - stopav.plug - Disables the antivirus if any is installed on the victim’s computer.
  2. - miniav.plug – Checks for the presence of other Trojans, such as Zeus, and if found, deletes them. This is very similar to SpyEye behavior.
  3. - passw.plug – Key logger module. It hooks the export table of a number of WININET.dll and USER32.dll functions and will log all username/password combinations, as well as any URLs visited.

Afterwards more malware is installed to the victim’s computer, including Trojan.Zefarch and FakeAV. This trend of using Java exploits is becoming increasingly more common. It seems that Java exploits are becoming the weapon of choice by attack toolkit writers because of its cross-platform nature. Fortunately for you, if you’re using a TippingPoint IPS you are well protected. DVLabs has filters for 100% of CVEs found in this toolkit. Here are the filters as well as the matching CVEs for the BlackHole exploit kit:

  • CVE-2010-1885   9889
  • CVE-2010-1423   9697,9698
  • CVE-2010-0886   9697
  • CVE-2010-0842   9651
  • CVE-2010-0840   10985
  • CVE-2009-1671   10919
  • CVE-2009-0927   6255
  • CVE-2008-2992   6833
  • CVE-2007-5659   6435,6436
  • CVE-2006-0003   4244

On top of these filters we are also engaged in ongoing research projects where we continuously collect and analyze samples of newest exploit kits (and other types of malware) in order to quickly create filters that protect our customers. We’ve analyzed over two dozen web exploit kits in the past 6 months and are continuously working on acquiring new kits as soon as they’re released. We’ll keep you posted with further blogs as we discover new and interesting exploit toolkits.

Tags: malware,exploits,toolkits
Published On: 2011-04-26 10:00:00

Comments post a comment

  1. Chris Green commented on 2011-04-27 @ 10:05

    Of the listed signatures, the recommendation on many of them is to be disabled.

    10919: Disabled
    10985: B/N
    4244: Disabled
    6436: B/N
    6833: Disabled
    9651: Disabled
    9697: B/N
    9698: B/N
    9889: "Backdoor: Malicious PHP Backdoor Access" - Probably a typo meaning 9899: B/N

    I really don't think the Blackhole Exploit kit is well covered by either RepDV or existing filters. Our detections are coming off Snort + Emerging Threats rule set instead of being blocked by TippingPoint.

    Feel free to contact me for more details. I would love to see TP do a much better job of blocking exploit kits and mitigating impact.

  2. Trevor commented on 2011-06-09 @ 14:29

    Hi, I would like to send you a .java file that is one of the exploits currently being used by the latest release of blackhole, I think the cve list on the post is not correct.

    Could you send me an email so I can reply?

    Best regards.