2012-09-13 - Study

Fast look at an infection by a Blackhole Exploit Kit 2.0

Bet there is a new logo...but don't have it

If you didn't know that Blackhole Exploit Kit has been rewritten to version 2.0 take a look at this post
All files here : http://kafeine.minus.com/mbkP1Nl0bC

Goal of this post : show how an infection via the new version of Blackhole looks like.
Forget the main.php?page=0123456789abcdef and variants it's (almost) over now.
Will maybe update later with other Vuln path or other information related to 2.0


Video of the infection described below in 1...Useless but I like visual things. I did not wait till Live Security Platinum pop up cause i did not know if the payload had a GUI.


1 - Here is the complete fiddler trace for a CVE-2012-4681 infection path :

200 http://46.249.37.118 /links/differently-trace.php --> a464b3414a32203b10cf89e84b884609  (anubis report)
200 http://46.249.37.118 /links/differently-trace.php?
zexl=36070905070437020234050505343634353405060636060a330902340a033505
&lgyzvu=4833&evwi=nfsl&izcjjjxl=ycvrg --> d7f16e839aa3b0ec02c5d798ee184a5a (VT report)
Seems to be the same Jar that we found at same time on Blackhole that are not already updated.
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/getJavaInfo.jar
200 http://46.249.37.118 /links/differently-trace.php?zexl=36070905070437020234050505343634353405060636060a330902340a033505
&lgyzvu=4833&evwi=nfsl&izcjjjxl=ycvrg  --> d7f16e839aa3b0ec02c5d798ee184a5a (yes same.. (?) )
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/A.class
404 http://46.249.37.118 /links/A/class.class
200 http://46.249.37.118 /links/differently-trace.php?xwwrf=36070905070437020234050505343634353405060636060a330902340a033505
&fvjmvlke=03090708363335340408&vene=02&fch=lsm&wka=sxi --> a4ee53b38e3a8a1fdd720cb035d9873f  User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_06
404 http://46.249.37.118 /links/differently-trace.php?gceol=36070905070437020234050505343634353405060636060a330902340a033505
&plq=45&lqhsb=03090708363335340408&sfemv=02000200020002
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/getJavaInfo.jar
404 http://46.249.37.118 /links/A.class
404 http://46.249.37.118 /links/A/class.class
404 http://46.249.37.118 /links/A.class
404 http://46.249.37.118 /links/A/class.class

Files are available here : http://minus.com/lCoPbeqIs8DLr
Fiddler session is here : http://minus.com/lbjapThXMLSl6K

The payload just for those who wonder. Out of the scope of this post.
<edit2>

2-One more CVE-2012-4681 infection:


200 http://level.liborscam.info /links/tune-spreads-action.php > a1f3cca2be43825b25ec39cd10082083 (wepawet showing PluginDetect pointed by Websense and Aleksandr Matrosov)
200 http://level.liborscam.info /links/tune-spreads-action.php?ivpnaza=3306380338020a0b0b02360609350608350409050334350933080a3505063308
&oxn=3533&kqztigi=kkwxmuax&zuc=uvvibjqq -> 6a3757841ff61752fd24cbb84f67418c (vt report)
302 http://level.liborscam.info /links/getJavaInfo.jar
200 http://level.liborscam.info /links/tune-spreads-action.php?ivpnaza=3306380338020a0b0b02360609350608350409050334350933080a3505063308
&oxn=3533&kqztigi=kkwxmuax&zuc=uvvibjqq -> 6a3757841ff61752fd24cbb84f67418c (same)
302 http://level.liborscam.info /links/getJavaInfo.jar
200 http://level.liborscam.info /links/tune-spreads-action.php?uxytgf=3306380338020a0b0b02360609350608350409050334350933080a3505063308
&abnczdde=06090a3708050a063402&jvfagfn=02&pusr=uwelha&tibqqyl=rpfarbmb --> 18fb6c377458e52559b6044aed21b3f1 (vt report - must be a  Reveton Ransomware cause we can see an IP of the RP owned by our squatter from AS57999User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_06

302 http://level.liborscam.info /links/A.class
302 http://level.liborscam.info/links /A.class

Files are available here : http://minus.com/lbyzmpVJY34jSE

Fiddler session is here : http://minus.com/lwwbnnmDejV7C

Note: where i have been hit got a combo : Redkit + BH EK 2.0 and end up with Karagny, Zeus?  (config : http://91.238.82.95:80[/]_cp/gate.php ) and Reveton. Look like one Traffer is selling to 2 differents Clients


Double Strike BH EK 2.0 + Redkit EK
Full Fiddler session is here : http://minus.com/ljRcUfVcqI7yo if someone want to sort this out.

</edit2>
<edit3>

3-MDAC infection:

GET http://delivery.trafficbroker.com /rd.php?http://212.59.118.144/links/middle_granting.php
200 OK (text/html)

GET http://212.59.118.144 /links/middle_granting.php
200 OK (text/html)

GET http://java.sun.com/update/1.6.0/jinstall-6u60-windows-i586.cab
301 Moved Permanently to http://javadl-esd.sun.com/update/1.6.0/jinstall-6u60-windows-i586.cab

GET http://javadl-esd.sun.com/update/1.6.0/jinstall-6u60-windows-i586.cab
404 Not Found (text/html)

POST http://activex.microsoft.com /objects/ocget.dll
404 Not Found (text/html)

POST http://codecs.microsoft.com /isapi/ocget.dll
404 Not Found (text/html)

POST http://activex.microsoft.com /objects/ocget.dll
404 Not Found (text/html)

GET http://212.59.118.144 /links/middle_granting.php?rzy=37060a0933&qebtfeoy=39&arowcw=06090a3708050a063402&qxlhwqt=02000200020002
200 OK (application/pdf)  <-- eedfd.pdf 43497a7060d68bd1ef5add8276858c0e

GET http://212.59.118.144 /links/middle_granting.php?bjg=37060a0933&lsry=06090a3708050a063402&vedpt=04&cljdwo=cxlcbbox&aeh=wtorw
200 OK (application/x-msdownload) <-- Reveton Ransomware adbb24c15db2575d1d5415a17ac1010b

POST http://codecs.microsoft.com /isapi/ocget.dll
404 Not Found (text/html)

</edit3>

> Yes Tor exit nodes are escaped.
> Yes double tilt with same IP won't trigger the landing Twice (502 error - 0 )

Is BH EK 2.0 exploiting CVE-2012-1535 which affect Flash 11.3.300.270 and previous ?...Paunch never mentionned it. Please anyone, comment if I'm wrong. The thread of this blackhole at least was not using it.


One useless video showing a computer vulnerable only (...for what we know) to CVE-2012-1535  running fine through this thread of that BH EK.

Edit: 13/09/12 - 08:03am - Added remark regarding plugin detect after Websense post.
Edit 2: Removed the remark regarding plugin detect..it's indeed part of the BH EK 2.0 Double Check after Aleksandr Matrosov tweet, the first landing in Fiddler Trace1
Edit3 : Add infection path : MDAC
Edit4: Adding User-Agent information on final payload get.
Note: Have tried  infection triggering CVE-2012-0507 (Atomic on jre 1.6u30) and CVE-2012-1723 (jre 1.6 u32). Both "successful".
User-Agent: Java/1.6.0_30 on Final payload GET
User-Agent: Java/1.6.0_32 on Final payload GET