I am still focused on Blackhole 2.0 and in my last article here, I examined the URL pattern. The regex in this previous article is good at detecting the entry points and the exploit as it is occurring, but not the binary get request. This was because of too many false positives for sites like facebook (credit for the teamwork to
This is an ongoing series where my intel will be posted as I get it. Feedback to me on twitter @fknsec. Also, check out #malwaremustdie on twitter.
Blackhole 2.0 Entry Point/PDF/PK Pattern
Content type/MIME type:application/pdf
Content type/MIME type:application/pdf
\.php\?\w{2,10}\=[0-9a-f]{10}\&\w{2,10}\=[a-z0-9]{2,6}\&[a-z]{2,8}\=[a-z]{2,10}\&[a-z]{2,8}\=[a-z]{2,8}$
Blackhole 2.0 Binary Get Request Pattern
Content type/MIME Type: application/x-msdownload
Content type/MIME Type: application/x-msdownload
\.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$
Blackhole 2.0 - All About the PDF
 |
| Screen Cap 1: Adobe Reader uninstalled, still prompts for PDF. |
 |
| Screen Cap 2 This sample really, really wanted me to log into Bank of America. |
Once the PDF is downloaded and executed, the system requests one or a series of PK files which java executes.
Trying to Stop the Exploit (and failing miserably)
I tried a series of moves to stop the exploit, all but one of which failed, and the other was inconclusive.- Disabling Javascript in Adobe Reader - failed to stop the exploit.
- Configured "Security Enhanced" to prevent any PDF from accessing the internet - failed to stop the exploit.
- Removed Adobe Reader - Website prompted me to save the PDF (see second screen cap)
- Installed Foxit Reader with "Security Enhancements" enabled - failed to stop the exploit.
- Configured DEP for all windows programs - inconclusive. I saw a binary get request and the malware downloaded and showed up in the task manager, but then it disappeared. I need more data on this before I can speak further on this.
Interesting enough a majority of the cases I reviewed, the actual malware launched was install_0_msi.exe followed by a KB<random number>.exe, presumably a pony downloader followed by Zeus-family.
 |
| Screen Cap 3: Look at the task manager. Java and AcroRd32.exe. The AcroRd32.exe is processor intensive when it opens. Nothing shows on the screen to indicate it Adobe launched. |
 |
| Screen Cap 4 Adobe and Foxit Readers security settings do not stop this attack. In my lab, disabling Java does not affect it, neither does restricting PDF access to the internet. |
Characteristics of the Blackhole 2.0 Binary Get Request:
First off, check out this article posted by Rise on malwarereports.blogspot.com
Rise decodes the parameter values in the jar file to understand how blackhole passes the URL.
The Get Request:
- The Regex for the URL string is \.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$
- The get requests are all performed by the user agent "Java", in these cases it was update 29.
- The get requests contains no referrer, (but the PDFs do)
The Response:
- Server: nginx - Be wary this could easily be changed.
- Content-Type: application/x-msdownload
- Cache-Control: must-revalidate, post-check=0, pre-check=0 - (I would not rely on this one)
- Content-Disposition: attachment; filename="
- The file names were one of three possibilities I observed:
- readme.exe
- info.exe
- about.exe
- Content-Transfer-Encoding: binary
URLs (Binary get request only)
/forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m /links/observe_resources-film.php?gf=050934030b&fe=0a050304380b37370a36&c=02&pr=n&od=v /links/keyboard_aid_feeds.php?mf=050934030b&ue=0506050a0b0934070b06&h=02&jx=b&tj=k /links/around_film.php?rf=050934030b&le=08040534050337333736&x=02&qb=o&zt=h /forum/links/column.php?ff=050934030b&we=3307093738070736060b&q=02&jn=p&ep=g /detects/signOn_go.php?ef=050934030b&me=0b350707040802093705&k=02&hz=k&kb=d /links/calls_already_stopping.php?qf=050934030b&ue=0b36340b353507360208&p=02&kp=c&lr=p
Examples:
GET /forum/links/column.php?tf=0735020b0b&ve=3307093738070736060b&f=02&nu=j&rw=m
HTTP/1.1
User-Agent: Java/1.6.0_29
Host: sonatanamore.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
HTTP/1.1 200 OKNext example
Server: nginx/1.0.10
Date: Sun, 07 Oct 2012 05:09:02 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Pragma: public
Expires: Sun, 07 Oct 2012 12:42:41 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 92160
GET /links/observe_resources-film.php?gf=050934030b&fe=0a050304380b37370a36&c=02&
pr=n&od=v HTTP/1.1
User-Agent: Java/1.6.0_29
Host: corandomotorider.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Sat, 20 Oct 2012 23:17:50 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
Content-Length: 444494
X-Powered-By: PHP/5.3.14-1~dotdeb.0
Pragma: public
Expires: Sat, 20 Oct 2012 23:17:50 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binaryNext example
GET /links/keyboard_aid_feeds.php?mf=050934030b&ue=0506050a0b0934070b06&h=02&jx=b
&tj=k HTTP/1.1
User-Agent: Java/1.6.0_29
Host: postpozic.8x.biz
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sat, 20 Oct 2012 23:24:20 GMT
Content-Type: application/x-msdownload
Content-Length: 368640
Connection: keep-alive
Pragma: public
Expires: Sat, 20 Oct 2012 23:23:24 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="about.exe"
Content-Transfer-Encoding: binary
Next example
GET /links/around_film.php?rf=050934030b&le=08040534050337333736&x=02&qb=o&zt=h H
TTP/1.1
User-Agent: Java/1.6.0_29
Host: 94.23.43.55
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 21 Oct 2012 00:31:48 GMT
Content-Type: application/x-msdownload
Content-Length: 73326
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.2
Pragma: public
Expires: Sun, 21 Oct 2012 00:31:48 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Next example
GET /forum/links/column.php?ff=050934030b&we=3307093738070736060b&q=02&jn=p&ep=g
HTTP/1.1
User-Agent: Java/1.6.0_29
Host: secondhand4u.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sun, 21 Oct 2012 00:54:11 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Pragma: public
Expires: Sun, 21 Oct 2012 00:52:37 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 87040
Conclusion
In conclusion, I hope that you can use this information to combat this exploit kit. As always, I welcome suggestions, feedback and teamwork.
Possible snort rules (I'm still testing these).
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Blackhole 2.0 Binary Get Request"; content:"GET"; offset:0; content:"User-Agent: Java/1.6"; content:!"Referer"; pcre:"/\.php\?\w\w\=[a-f0-9]{10}\&\w\w\=[a-f0-9]{20}\&\w\=[0-9]{2}\&\w\w\=\w\&\w\w\=\w$/U"; classtype:successful-user; sid:98800058;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Blackhole 2.0 binary download"; content:"HTTP/1"; content:"Content-Type: application/x-msdownload"; content:"Content-Disposition: attachment|3b| filename="; distance:0; content:"Content-Transfer-Encoding: binary"; distance:0; nocase; pcre:"/filename\=\"(readme.exe|info.exe|about.exe)/smi"; classtype:successful-user; sid:98800059;)
Shout out to @malwaremustdie and the #malwaremustdie team.
