Filling a BlackHole

Today, exploiting vulnerabilities in legitimate programs is one of the most popular methods of infecting computers. According to our data, user machines are most often attacked using exploits for Oracle Java vulnerabilities. Today's security solutions, however, are capable of effectively withstanding drive-by attacks conducted with the help of exploit packs. In this article, we discuss how a computer can be infected using the BlackHole exploit kit and the relevant protection mechanisms that can be employed.

Exploit packs.

As a rule, instead of using a single exploit, attackers employ ready-made sets known as exploit packs. This helps them to significantly increase the effectiveness of 'penetration', since each attack can utilize one or more exploits for software vulnerabilities present on the computer being attacked.

Whereas in the past exploits and malicious programs downloaded with their help to victims' computers were created by the same people, today this segment of the black market operates according to the SaaS (Software as a Service) model. As a result of the division of labor, each group of cybercriminals specializes in its own area: some create and sell exploit packs, others lure users to exploit start pages (drive traffic), still others write the malware that is distributed via drive-by attacks. Today, all a cybercriminal wishing to infect user machines with, say, a variant of the ZeuS Trojan needs to do is buy a ready-made exploit pack, set it up and get as many potential victims as possible to visit the start page (also called a landing page).

Attackers use several methods to redirect users to an exploit pack's landing page. The most dangerous one for users is hacking pages of legitimate websites and injecting scripts or iframe elements into their code. In such cases, it is enough for a user to visit a familiar site for a drive-by attack to be launched and for an exploit pack to begin working surreptitiously. Cybercriminals can also use legitimate advertising systems, linking banners and teasers to malicious pages. Another method that is popular among cybercriminals is distributing links to the landing page in spam.

Infecting user machines using exploit packs: an overview diagram

There are numerous exploit packs available on the market: Nuclear Pack, Styx Pack, BlackHole, Sakura and others. In spite of the different names, all these 'solutions' work in the same way: each exploit pack includes a variety of exploits plus an administrator panel. Moreover, the operation of all exploit packs is based on what is essentially the same algorithm.

One of the best-known exploit packs on the market is called BlackHole. It includes exploits for vulnerabilities in Adobe Reader, Adobe Flash Player and Oracle Java. For maximum effect, exploits included in the pack are constantly modified. In early 2013, we studied three exploits for Oracle Java from the BlackHole pack, so we selected BlackHole to illustrate the operating principles of exploit packs.

In the black hole.

It should be noted that all data on exploits, the contents of start pages and other specific information discussed in this article (particularly the names of methods and classes and the values of constants) was valid at the time the research was carried out. Cybercriminals are still actively developing BlackHole: they often modify the code of one exploit or another to hinder detection by anti-malware solutions. For example, they may change the decryption algorithm used by one of the exploits. As a result, some of the code may differ from that shown in the examples below; however, the underlying principles of operation will remain the same.

We print all changeable data in small type.

An exploit pack's start page.

An exploit pack's start page is used to determine input parameters and make decisions on the exploit pack's further actions. Input parameters include the version of the operating system on the user machine, browser and plugin versions, system language etc. As a rule, the exploits to be employed in attacking a system are selected based on the input parameters. If the software required by the exploit pack is not present on the target computer, an attack does not take place. Another reason an attack may not take place is to prevent the exploit pack's contents from falling into the hands of experts at anti-malware companies or other researchers. For example, cybercriminals may 'blacklist' IP addresses used by research companies (crawlers, robots, proxy servers), block exploits from launching on virtual machines, etc.

The screenshot below shows a sample of code from the landing page of the BlackHole exploit kit.

Screenshot of code from the BlackHole exploit kit's start page

Even a brief look at the screenshot is sufficient to see that the JavaScript code is obfuscated and most information is encrypted.

Visiting the start page will result in execution of the code that was originally encrypted.

Algorithm for decrypting the JavaScript code that was in use in January 2013:
  1. populate variables "z1 - zn" with encrypted data,
  2. then concatenate these variables into one string and decrypt the data as follows: every two characters (the character "-" is ignored) are considered to make up a 27-ary number, which is converted to decimal;
  3. add "57" to the value obtained and divide the result by 5;
  4. convert the resulting number back to a character using the function "fromCharCode".

The code which performs these operations is marked with blue ovals on the screenshot above. The second array consists of decimal numbers from 0 to 255, which are converted to characters using the ASCII table. Both code fragments obtained by conversion are executed using the "eval" command (shown on the screenshot with red arrows).

The entire algorithm above could have been implemented with a few lines of code, but the cybercriminals used special techniques (marked with yellow ovals in the screenshot) to make detection more difficult:

  1. deliberately causing an exception with the  "document.body*=document" command;
  2. checking the style of the first <div> element using the command "document.getElementsByTagName("d"+"iv")[0].style.left==="""; note that an empty <div> element is inserted for this purpose into the document (in the second line);
  3. calling "if(123)", which makes no sense, since this expression is always true;
  4. breaking up function names and subsequently concatenating the parts.

In addition to the tricks described above, cybercriminals use numerous minor code changes that can hamper signature-based detection. Although our antivirus engine, for example, includes a script emulator and simple changes in constants and operations will not affect the effectiveness of detection, the tricks described above can make things more difficult for an emulator, too.

After decryption, code appears in RAM - we will refer to it as the "decrypted script". It consists of two parts.

The first part is a module based on the free PluginDetect library, which can be used to determine the versions and capabilities of most modern browsers and their plugins. Cybercriminals use a variety of libraries, but this module is a key element of any exploit pack. BlackHole uses PluginDetect to select the appropriate exploits for download depending on the software installed on the user machine. By 'appropriate' we mean those exploits which have the highest chances of successfully running and launching malware on a specific PC.

The second part of the "decrypted script" is code responsible for processing the results produced by PluginDetect functions and then downloading the exploits selected and launching them.

In March 2013, BlackHole used exploits for the following vulnerabilities:

  1. Java versions from 1.7 to 1.7.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *