THE EVOLUTION OF
BLACKHOLE
Chris Astacio
Websense
What Is An Exploit Kit
What is an exploit kit?
Collection of exploits targeting client browser or browser plugin
vulnerabilities over the web.
Drive-by download sites
Hacking for Dummies
Past exploit kits
Phoenix (PEK) dates back to 2007,Siberia, Mpack, IcePack,
Neosploit, Hierarchy
Typically fluctuating in usage and popularity
Exploits and admin relatively static
Effectiveness declines with patching
What Is Blackhole Exploit Kit?
Top exploit families detected by Microsoft anti-malware
products in the second half of 2011 and first half of 2012
What Is Blackhole Exploit Kit?
Creator of Blackhole Exploit Kit is known as "Paunch
Most prevalent on the web
Websense 65% of all exploit kit detections
Microsoft Leads exploit kit families in prevalence by factor of 2
Typical Kit
Fluctuating popularity
Exploits and admin static
Limited evasion techniques
Blackhole
King of the Kits
Constant addition of exploits
Features continually updated
How is Blackhole used?
An attacker has a binary to infect victims
Could be custom or one built from a kit like Zeus or Spyeye
The attacker licenses Blackhole Exploit Kit and specifies
various options to customize
How long?
Rent or host on your own?
Traffic is sent to Blackholes landing page via one of many
vectors
Compromised web sites
Email
How is Blackhole used?
Blackholes landing page contains obfuscated JavaScript
used to profile and possibly exploit potential victim
OS, Geolocation, Browser, Plugins
If the client browser or plugins are vulnerable to one of
Blackholes exploits, a malicious binary is loaded to infect
This is the binary created by the user of Blackhole, could be
anything for Windows infection!
Blackhole Service Options
Attacker can rent the kit
Blackhole author hosts the kit for a day, week, or month
Each of the above options also have daily limits of 50k or 70k hits
This option offloads the overhead of having to set up
hosting and installing the pack
Could benefit the attacker
Feature updates or new exploits could roll out during rental
Blackhole Service Options
Purchasing the kit is also an option
Typically, this means more overhead for the attacker
Domain registration and hosting
Kit is uploaded and installed instructions provided
License is for 3, 6, or 12 months
The purchase is also bound to a specific domain/IP
This can be removed for an additional fee
This means exploits, features, etc. are static
Backend Code Protection
Historically, some kits are ripped from others
PHP code is the same but admin panel has a different skin
Backend Code Protection
To prevent this, Blackhole Exploit Kit uses ionCube
ionCube is a legitimate PHP encoding tool
Protects source code by encoding
Provides the ability license code for a duration of time
Allows the binding of code to IP or domain
Backend Code Protection
Quote on the benefits of using ionCube
Product Developers: protect and license your code before
distribution. Time restricting is ideal for protecting evaluation
copies, and server/domain based locking helps secure revenue
from multiple domain deployments.
Vectors Of Attack
Compromised web sites
Vectors Of Attack
Injected obfuscated scripts
Vectors Of Attack
Plain English, or deobfuscated, script
Vectors Of Attack
Finally, Blackhole landing page
Vectors Of Attack
Very strong similarities between iFramer and Blackhole
Similar code structures and sometimes the same algorithm!!
Vectors Of Attack
Malicious email campaigns
Vectors Of Attack
Compromised web site
Vectors Of Attack
Finally, Blackhole landing page
Landing Page
Historically, kits change their obfuscation techniques only
on version releases
Blackhole seems to change its obfuscation, on average, every two
months!
December 2010
February 2011
March 2011 Changed 3 times!
April 2011
July 2011
September 2011
December 2011
February 2012
May 2012
June 2012
October 2012
Landing Page
First detection of Blackhole was in December 2010
Landing Page
Next change in obfuscation was February 2011
Landing Page
In March 2011 obfuscation changed 3 times!
Same algorithm just minor changes in implementation
Landing Page
Another change in April 2011
Landing Page
Next major change came in December 2011
Landing Page
February 2012
Landing Page
May 2012
Landing Page
October 2012
Landing Page
This is what the landing page currently looks like
Landing Page
Deobfuscated landing page code is quite extensive
First version of Blackhole contained just over 1,000 lines
Latest version of Blackhole contains almost 2,000 lines
Interesting client profiling code
Landing Page
Hopefully at this point youve noticed the applet code Ive
highlighted
value='e00oMDDmuXkN.Rm_NuVqRmDBVoeoju8gW6h83
value="iNN/%wwZRYX:kXErDwbE/i/BL9XY7P9Y
value="Mjjdo##JO1ZsVOsVV#wsdMdCRWfD&/W1
value="vssMlgg=9Po9Pd59PdB=gOFU6gYPMvM-Vcd=G6cr
value="rOOSqttzw5&EklEkkt?ESrSIWAfnU-An
value=http://....
These are generated by a Java Obfuscator called Allatori
In particular Allatori string encryption is being used to obfuscate
URLs in the applet code
Zero Day Bonus
Java 0-day (CVE-2012-4681) was
actually first discovered in a kit
called Gondad Exploit Kit.
Incorporated into Blackhole
within a week!
Zero Day Bonus
Java 0-day (CVE-2013-0422) was
shared on underground forums.
Paunch put it in as a New
Years Gift Brian Krebs
Admin Panel
Captcha required for login
Admin Panel
Traffic stats, load success rate, and something extra
Admin Panel
Three different advertisements shown in this panel
Iframe or script encryption services
Hosting services
Mass domain registration services
All 3 of the services seem to be targeted to Blackholes
clientele
Admin Panel
DoItQuick: a private mass registration service
Admin Panel
Crypt.am seems to also be a private encryption service
Admin Panel
Back to the admin panel, it also provides blocked stats
Admin Panel
Custom blacklisting
Admin Panel
Default set of clients to blacklist over 132k
Admin Panel
Anonymous AV checks virtest & scan4you
Have the option of changing domains after too many detections
Admin Panel
Admin panel for phone clients!
Discovered by Malware Intelligence
History of Releases
Version Release
1.0 August 2010
1.0.2 November 2010
1.1.0 June 2011
1.2.0 November 2011
1.2.1 December 2011
1.2.2 February 2012
1.2.3 March 2012
1.2.4 July 2012
2.0 September 2012
Version 2.0 Announcement
Version 2.0 Announcement
A number of new traffic blocking options
Block or allow specific referrers
Block traffic without referrers
Block based off a bot IP list
Block TOR traffic
Recording mode
Recording mode is most interesting
Assumes all traffic after your campaign is researcher or AV traffic
Adds the client IPs from this traffic to the bot IP list
Version 2.0 Announcement
Blackhole 2.0 was meant to focus more on evasion
Prevent researcher analysis and thus security detection
URL structure changes
traffic unfortunately was recognizable for AV companies and
reversers, for example, /main.php?varname=lgjlrewgjlrwbnvl2. The
new version allows for URLs you can make yourself
Disposable hosts
now generate a dynamic URL, which is valid for a few seconds,
you need only one infection
Version 2.0 Announcement
Prevent direct download of your Trojan
secure your exe, AV company can not just download it, which will
keep your exe clean as long as possible.
Captcha now used for login
Captcha entered for logging on, it was not enough to break a few
cases the admin panel of clients by Brutus
More granular detection of mobile clients
Added Win8 and mobile devices to the list of operating systems in
order to see how much of your traffic is mobile and you can redirect
to the appropriate affiliate.
Next Up for Blackhole
Ongoing updates to obfuscation
Zero Day integration
Two Java 0-day in six months time
From POC
Purchased from market
Evolution of premium kits
We are setting aside a $100K budget to purchase browser and
browser plug-in vulnerabilities, which are going to be used
exclusively by us, without being released to public (not counting the
situations, when a vulnerability is made public not because of us).
Next Up for Blackhole
Is Cool the next Blackhole?
Zero days found in Cool began showing up in Blackhole after public
announcements
Researchers began to question if the authors were the same
person
Paunch acknowledged being responsible for the Cool kit,
and said his new exploit framework costs a whopping
$10,000 a month. Brian Krebs
Blackholes ripple
From Redkit to CritXpack, Blackholes success in the
underground markets seems to be creating a market of
opportunity for others to create their own exploit kits
Kits used in malicious email campaigns are beginning to
diversify
Tools used by Blackhole are also being used by other kits
QUESTIONS?
castacio@websense.com
