Black Hole Exploits Kit

[WIEx]

Black Hole Exploits Kit

Released the next bunch of exploits, this time with a very interesting and beautiful design approach



I quote the description from the author:

Absorbed all the latest developments and methods of testing for the last time we reviewed and analyzed more than two dozen products from that area and created a unified system.
Writing system based on existing market demands and was created from the first to the last byte from scratch.
The application of this test system will allow you to identify all of the latest computer vulnerabilities to date.


Administrative system:

[Statistics] Statistic screen
Maximum detailing statistics for all parameters tested bunal computer.
Vidzhetovaya system.
Widget 1: Global statistical widget:
a.) Statistics for the entire period of the system since the launch or since the last reset.
b.) Statistics for the current day of the system.
c.) Statistics on the calendar, taken separately for a period of time.
Widget 2: Operating Systems.
Widget 3: Browsers, detail on versions of a single browser.
Widget 4: Top Country.
Widget 5: Buffer and vulnerable versions of operating systems.
Widget 6: Referrals, detailing the full address invoking URL, IP address. (Optional, switchable).
Share 7: Streams, statistics of a single source of traffic comes from.
Share 8: Custom widget. (The ability to create a widget soobstvennogo identifying and Grouping any statistical data from the separate widgets)

Each of the widgets have full, miksimizirovannuyu stats for your parameter data.
Update automatically from a given interval on the timeline, without reloading the page, in real time.
Graphic, visual presentation of information on the Level 3 leniynyh graphs.
Account: hits, hosts, downloads, percentages for each of the parameters of statistics.
Formation of visual rasplozheniya widget system Drag'n'Drop.

[Streams] Stream screen
Built-in TDS (Traffic Direct System), prohibitive flexibility.
Configure traffic flows under each: type, niche, Celler traffic.
Generate your own set of: operating systems, browsers, countries, exploits, files, for incoming traffic, based on the rules.
Separate traffic to a unique, non-unique for each of the rules of the flow.
Manage the flow, the status of the rules.
Manage the files for each of the flow / rules with automatic change it to a new limit on the expiration of shipment.
Full, maximize statistics: flow / rule.
Administrative and public access to the statistics flow / rules.


[Files] Files screen
Library files.
Full details on the downloaded file.
Setting limits on shipments specifically to retrieve the files.
Integrated Anti-based API interfaces popular AVCheck services.

[Security] Securuty screen
Block-treatment system for the task: Referrals, IP-address (including ranges).
Generate database black list: Referrals, IP address.
Import, export databases black list.

[Setting] Setting screen
Admistrativny section control center system.
Change the names of key files and settings to hide from antivirus companies detect and Malvar trackers followed the entry of the domain or IP address in the black list of the names of a set of standard system files.
Are fully independent and unique file names and settings from other copies of the system.
Change the system language: Russian, English.
Set limits on the string to display statistical information widgets.
Change the password system.
Change the global auto-update interval statistics page.
Resets the global statistics of the system, or single stream.
Optimized for heavy-work and Aubum traffic;
Exploits crypt on special algorithms that make it impossible to code analysis and detection of anti-virus as well as services Tipo wepawet and other counterparts ...
Punches all browsers, if vulnerable plug-ins and browser versions;
Admin password protected without the use of login.
Links to traffic, as in the clear, and zakriptovanny JavaScript kriptor iFrame code.
System screen:
http://img576.imageshack.us/img576/58/statisticz.png - Statistic
http://img412.imageshack.us/img412/5294/stream.png - Stream
http://img837.imageshack.us/img837/161/filesr.png - Files
http://img205.imageshack.us/img205/2365/security.png - Security
http://img839.imageshack.us/img839/4607/settingg.png - Setting
http://img832.imageshack.us/img832/2048/browsers.png - Browsers
http://img842.imageshack.us/img842/9780/country.png - Country
http://img69.imageshack.us/img69/7721/exploits.png - Exploits
http://img683.imageshack.us/img683/8875/21364432.png - Os

In property:

Annual license: $ 1500
Half-year license: $ 1000
3-month license: $ 700

Update cryptor $ 50
Changing domain $ 20 multidomain $ 200 to license.
During the term of the license all the updates are free.

Rent on our server:

1 week (7 full days): $ 200
2 weeks (14 full days): $ 300
3 weeks (21 full day): $ 400
4 weeks (31 full day): $ 500
24-hour test: $ 50

• There is restriction on the volume of incoming traffic to a leasehold system, depending on the time of the contract.

Providing our proper domain included. The subsequent change of the domain: $ 35
No longer any hidden fees, rental includes full support for the duration of the contract.

Trade Service: 363001 - Legacy (from 10:00 to 18:00 on MSK)
Programming Engineer: ICQ: 343002; JabberID: paunch@ thesecure.biz - Paunch (theoretically 24 hours)
Founder Team: 895894 - Naron

http://forum.web-hack.ru/index.php?showtopic=98260

[SysAdMini]

Black Hole Exploits Kit. Another crimeware in addition to criminal supply
http://malwareint.blogspot.com/2010/09/black-hole-exploits-kit-another.html

[SysAdMini]

The BlackHole Theory
http://www.symantec.com/connect/ja/blogs/blackhole-theory

[SysAdMini]

version 1.1.0 announced

http://translate.google.co.jp/translate?hl=en&sl=auto&tl=en&u=http://scriptkiddiesec.blogspot.com/2011/05/black-hole-exploit-kit-110.html

The new version 1.1.0
of innovation - is a complete rewrite issue
Before issuing a java sploytov is a check JRE version and only if the version is potentially vulnerable is an attempt punching
overwrite existing exploits, java smb is no longer asks to install the plugin when approaching the link, and other changes
iepeers removed because no relevance
added 2 new exploit java trust (punches before 1.6.0_23 inclusive - this is the last version at the moment), just added java skyline
significantly increased the sample on some types of traffic nearly doubled, here's an example stats

[SysAdMini]

Black Hole Exploits Kit 1.1.0 Inside
http://malwareint.blogspot.com/2011/08/black-hole-exploits-kit-110-inside.html

[SysAdMini]

Blackhole kit's obfuscation and url parameters have been changed.

Deobfuscated version of code from hxxp://aefrwt6yuy54r3efd.cz.cc/t/db0f207c93faa50fc806110f89c15067 can be found here:

http://pastebin.com/aVDmhKyN

[tyriel]

Blackhole kit's obfuscation and url parameters have been changed.

Deobfuscated version of code from hxxp://aefrwt6yuy54r3efd.cz.cc/t/db0f207c93faa50fc806110f89c15067 can be found here:

http://pastebin.com/aVDmhKyN

Interesting
Have been waiting on this, seen alot of small changes to the BH URLs lately.
I have been planing on doing a small write up of how to read black hole URLs. But with the recent changes most of it has changed, but I'll just post some of my notes here quick anyway.

The payload URL from black hole on the following format: http://<domain>/l.php?f=458&e=2
the first letter can be random, but both parameters 'f' and 'e' are more static. I'm not 100% what 'f' is used for but 'e' is used to report which exploit was successful to download the payload.
So by looking at this number you can see which exploit triggered on the victim.

 e = 3 -> Java skyline, CVE-2010-3552
 e = 2 -> Java Webstart, CVE-2010-0886
 e = 4 -> MDAC
 e = 7 -> HCP
 e = 6 -> PDF

There might be more but those are the most common and those i know of.


Now looking over the new URL format, without having alot of URLs and data to compare it seems this value of 'e' has been kept to some degree.

Lets take the following example:
http://<domain>/f/17fa9e904b267afdf5d00c79e936bbb5/6

It looks like the last digit ('6' in this instant) has been kept as a way to record which exploit was successful. From my first glances at this, it does look like the values has changed for the exploits though. In other words 6 does not equal a PDF exploit in the new BH code.

[SysAdMini]

Blackhole exploit kit v1.2.0
http://xylibox.blogspot.com/2011/09/blackhole-exploit-kit-v120.html

[SysAdMini]

Blackhole v1.2.1
http://xylibox.blogspot.com/2011/12/blackhole-v121.html

[SysAdMini]

Blackhole v1.2.2
http://xylibox.blogspot.com/2012/02/blackhole-v122.html

[SysAdMini]

Blackhole v1.2.3
http://xylibox.blogspot.de/2012/03/blackhole-v123.html

update to version 1.2.3
1) update files from archive
2) if you main.php have other name-rename it
3) in config.php change value of 'ExploitsDir' to 'data'(old value was 'content')
4) set write permission to all updated files
5) reset all statistics
6) Java Pack exploit now replaced by Java Array
7) in config.php change version to 1.2.3

[SysAdMini]

Sophos: Exploring the Blackhole exploit kit
http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/#Contents

[SysAdMini]

Blackhole Exploit Kit plays with smart redirection
http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection

[dlipman]

BHEK now using CVE-2012-1723 in its arsenal.

http://krebsonsecurity.com/2012/07/new-java-exploit-to-debut-in-blackhole-exploit-kits/

[SysAdMini]

Java the Hutt meets CVE-2012-1723: the Evil Empire strikes back
http://blog.eset.com/2012/07/10/java-the-hutt-meets-cve-2012-1723-the-evil-empire-strikes-back