2012-07-22 - Panel

Inside Blackhole Exploits Kit v1.2.4 - Exploit Kit Control Panel

Paunch Notification on Exploit.In about BH EK 1.2.4

Original text of the advert :
----------------------------------------

вышла версия 1.2.4

из новинок:
+ добавлен новый java эксплойт CVE-2012-1723 значительно прибавляющий в пробиве
+ добавлен новый flash эксплойт CVE-2011-2110

всех прошу за обновкой
----------------------------------------

Google Translation :
----------------------------------------

released version 1.2.4

of new products:
+ Added new java exploit CVE-2012-1723 add much to the punching
+ Added a new flash exploit CVE-2011-2110

All I ask for new clothes
----------------------------------------

BH EK - login Screen (English and Russian + PDA template)

BH EK - Statistics

BH EK - Threads (Note : Data has been intercepted and modified)

BH EK - Files (Note : Data intercepted and modified)

BH EK - Security

BH EK - Preferences (Note : Data has been intercepted and modified)

Known exploited vulnerabilities (feel free to comment if some are missing, see at the end for sources) :

CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code
CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
CVE-2009-4324 - Adobe Reader and Adobe Acrobat "util.printd" Vulnerability
CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin
CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
CVE-2010-3552 - Sun Java Runtime New Plugin docbase Buffer Overflow (aka "Java Skyline exploit")
CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier

SpiderLabs talked about
CVE-2011-0611 - Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll

In march with BH EK 1.2.3 :
CVE-2012-0507 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. (see video & Article from D. Harley at the end of this post)

And now :
CVE-2012-1723 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. (see video & Article from A. Matrosov at the end of this post)
CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability

Note Sophos has reported having seen on the thread of a BH EK :
CVE-2012-1889 Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

It's maybe not obvious to all readers but in fact BH EK is changing everyday to play his part in the "Poke A Mole" game with Antivirus

Picture S

(many other moving factors, payload packing (to avoid getting caught on 4), reverse proxies and domains rotation (to avoid blacklisting and fail on 2), JS obfuscation (at many stage of the attack, on chained redirection (step 2) and in the Blackhole (step 3) )

The Java Payload (stage 3 on Picture S) is moving on a daily basis . Here is what i found on a BH EK between June 21 and July 12 :

Ners.jar 7/12/2012 14h 5492569df2b1c63e2b97e443a9ce5cd6

Fiord.jar 7/12/2012 7h 3606d5f73ee0c3c2e1f1300c775b0de4

Korm.jar 7/11/2012 11h 89d7a711dd4df507f204a5c123c90add

Soo.jar 7/6/2012 13h db8cdc979b89134037d9b82c069d7b1c

Setl.jar 7/6/2012 8h 34d8df43c1e12778987b11e29df90dce

Forq.jar 7/5/2012 19h f00ca5d6ac7e8fb86b1b2cfc344d0b6c

Fwin.jar 7/5/2012 7h 9c682052f9a01c0e3e068c4fad9b42e5

Utor.jar 7/4/2012 11h f0a8b6c30c3cf588b406085dcfaa5bd9

Torm.jar 7/4/2012 8h 8c7198a479f58da0ebf71089848a8474

Ktu.jar 7/3/2012 15h 25c58b6a3a2bd9cf7ef559629e339b6d

Werd.jar 7/3/2012 10h fb0d62af177adf6db5ae323ff610663a