2012-07-22 - Panel

Inside Blackhole Exploits Kit v1.2.4 - Exploit Kit Control Panel



Paunch Advert on Exploit.In
Paunch Notification on Exploit.In about BH EK 1.2.4
Original text of the advert :
----------------------------------------

вышла версия 1.2.4

из новинок:
+ добавлен новый java эксплойт CVE-2012-1723 значительно прибавляющий в пробиве
+ добавлен новый flash эксплойт CVE-2011-2110

всех прошу за обновкой
----------------------------------------

Google Translation :
----------------------------------------

released version 1.2.4

of new products:
+ Added new java exploit CVE-2012-1723 add much to the punching
+ Added a new flash exploit CVE-2011-2110

All I ask for new clothes
----------------------------------------

BH EK - login Screen (English and Russian + PDA template)



BH EK - Statistics

BH EK - Threads (Note : Data has been intercepted and modified)


BH EK - Files (Note : Data intercepted and modified)
BH EK - Security
BH EK - Preferences (Note : Data has been intercepted and modified)


Known exploited vulnerabilities (feel free to comment if some are missing, see at the end for sources) :

CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code
CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
CVE-2009-4324 - Adobe Reader and Adobe Acrobat "util.printd" Vulnerability
CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin
CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
CVE-2010-3552 - Sun Java Runtime New Plugin docbase Buffer Overflow (aka "Java Skyline exploit")
CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier

SpiderLabs talked about
CVE-2011-0611 - Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll

In march with BH EK 1.2.3 :
CVE-2012-0507 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. (see video & Article from D. Harley at the end of this post)

And now :
CVE-2012-1723 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. (see video & Article from A. Matrosov at the end of this post)
CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability

Note Sophos has reported having seen on the thread of a BH EK :
CVE-2012-1889 Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

It's maybe not obvious to all readers but in fact BH EK is changing everyday to play his part in the "Poke A Mole" game with Antivirus
Picture S
 (many other moving factors, payload packing (to avoid getting caught on 4), reverse proxies and domains rotation (to avoid blacklisting and fail on 2), JS obfuscation (at many stage of the attack, on chained redirection (step 2) and in the Blackhole (step 3) )

The Java Payload (stage 3 on Picture S) is moving on a daily basis . Here is what i found on a BH EK between June 21 and July 12 :
Ners.jar 7/12/2012 14h 5492569df2b1c63e2b97e443a9ce5cd6
Fiord.jar 7/12/2012 7h 3606d5f73ee0c3c2e1f1300c775b0de4
Korm.jar 7/11/2012 11h 89d7a711dd4df507f204a5c123c90add
Forq.jar 7/5/2012 19h f00ca5d6ac7e8fb86b1b2cfc344d0b6c
Utor.jar 7/4/2012 11h f0a8b6c30c3cf588b406085dcfaa5bd9
Werd.jar 7/3/2012 10h fb0d62af177adf6db5ae323ff610663a
Sfer.jar 7/2/2012 10h 40b935f4d94a833970ab15d97cc701d2
Raik.jar 6/29/2012 9h 21005b50e943b5ba9fd1293ce91712f0
Story.jar 6/28/2012 10h c1be79c022ddcc603425e505f4a277f0
Look.jar 6/28/2012 7h dc2696e1ba3066b438e80d0c1cd678b4
Ruben.jar 6/27/2012 21h 9a6588c63e5df579fbf07db07529d694
Tip.jar 6/27/2012 21h bcd41b287bcbdae48192a79acbe1974d
Short.jar 6/27/2012 21h b5c7cb36b8c12ceaddb3ad2c74058bb6
Poly.jar 6/26/2012 17h f1debc7bd7b454463a060c06af0810b2
Tyke.jar 6/26/2012 11h 65d41d0088db28a528d9bcdcaae8f583
Kort.jar 6/25/2012 17h d024fbdc31ffb946982b0f2858205b15
Tool.jar 6/23/2012 8h 2741b191ca5fb3e7ec7e984a6006f03c
Tom.jar 6/22/2012 13h 1556fda12bb727321c83c4fa058e0dad
Kellt.jar 6/22/2012 10h bc61e825fb695e76ac7dd5b93b12d14b
Kelt.jar 6/22/2012 7h bc61e825fb695e76ac7dd5b93b12d14b
Trop.jar 6/21/2012 16h d33a721138dd69941c5768420abec45a
Ruel.jar 6/21/2012 15h 151084c92ef8f937aeacdadeb52fefa8
Half.jar 6/21/2012 7h caa0bce0418540a39fbe1a12d6c6d116
Com.jar 6/18/2012 10h d439b9fe666d869dc1d394928f963fb1
Note that when they appear it's often a 1 or 2/42 on Virustotal meaning that stage 3 of the Attack will likely work if your software (browser plugins) are not up to date.


If you want to read more about recent move of Blackhole Exploits Kit look this (newer first) :

The rise of a new Java vulnerability - CVE-2012-1723
Jeong Wook - Microsoft Malware Protection Center - 1st Aug 2012

An Examination of Java Vulnerability CVE-2012-1723
Masaki Suenaga - Symantec - 27 Jul 2012

The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date
Tim Rains - Microsoft Security Blog - 19 Jul 2012

What did the Java applet say to the SWF? Don't leave me alone in this Blackholeee!
SpiderLabs - 16 Jul 2012

Java the Hutt meets CVE-2012-1723: the Evil Empire strikes back
Aleksandr Matrosov - ESET Threat Blog - 10 Jul 2012

New Java Exploit to Debut in BlackHole Exploit Kits
Brian Krebs - KrebsOnSecurity - 5 Jul 2012

Wham Bam, the Cutwail/Blackhole Combo
Phil Hay - SpiderLabs - 2 Jul 2012

Zero-day XML Core Services vulnerability included in Blackhole exploit kit
Fraser Howard - NakedSecurity (Sophos) - 29 Jun 2012

Java CVE-2012-0507 / CVE-2011-3521
Mila - Contagio - 31 Mar 2012

Blackhole, CVE-2012-0507 and Carberp
David Harley - ESET Threat Blog - 30 Mar 2012

More about CVEs and EK :
An Overview of Exploit Packs (Update 16)
Mila - Contagio - 3 Avr 2012 (Based on François Paget's An Overview of Exploit Packs (McAfee - 28 May 2010) )

EXPLOIT-KIT
CVE-2012-1723 update inside view ad Exploit Kit inside Blackhole Exploit's Kit