To illustrate a post to come on Blackhole Transition here are some numbers for the /home/ aka q.php Blackhole aka Darkleech fuelled.
Note : Darkleech module filter user-agent. Infection tried only on IE (so Opera/Mozilla and others are researchers or honeyclient etcs). Then Blackhole also filter on IE (so 0 infections for others)
|Note : Thread Name. Number of Loads. |
Browser Filter on blackhole side too.
|File : q.php = Pony - Thread mod1|
Lock : a.php = Nymain.a - Thread adult (inactive since december)
They were pushing Pony which was then (depending of your country) pushing Urausy or Nymaim.b (which itself was loading Zaccess or Nymaim.a Ransomware). Sébastien Duquette from Eset wrote a nice post about that.
|Nymaim.A - Urausy Variant |
with B&W Zoo/CP images
(Careful : this design has also been used by Bomba Locker)
|Nymaim.A -US Design|
2013-04-09 - 20:17 (RU Time) - 31081 infections in 20 hours
|q.php Blackhole - 2013-04-09 - 20:17 RU Time|
Note the thread name : mod1
|2013-04-09 - 21:07|
(since monday (day before - 45 hours) numbers)
2013-04-11 - 22:22 - 29398 infections in around 22 hours
|q.php Blackhole - 2013-04-11 - 22:22 RU Time|
2013-04-12 - 20:29 - 26319 infections in 20.5 hours
|q.php Blackhole - 2013-04-12 - 20:29 RU Time|
Note : Reveton group were doing as good as this (at least in oct/nov 2012) with Cool EK
Read more :
There are a huge number of posts about this group so i made a selection.
Dissecting FireEye's Career Web Site Compromise 2013-09-18 Dancho Danchev
The Home Campaign: overstaying its welcome 2013-07-02 Sébastien Duquette - Eset
The Evil Came Back: Darkleech's Apache Malware Module - 2013-03-24 -Hendrik Adrian - MalwareMustDie
1940 IPs for a BHEK/ULocker server - Nexcess-Net - 2012-09-14
Post Publication Reading :
Nymaim: Browsing for trouble - 2013-10-23 - Jean-Iain Boutin - Eset
Darkleech Nymaim Pony q.php Blackhole Home