Search This Blog

Showing posts with label BlackHole Exploit. Show all posts

Paunch, creator of infamous BlackHole Exploit kit arrested in Russia

A man alleged to be the creator of infamous BlackHole exploit kit has been arrested by Russian authorities.

Maarten Boone, a security researcher at Fox-IT, was the first person who broke the news in his tweet saying " Blackhole exploit kit author 'Paunch' and his partners arrested in Russia".

However, there were no more information from Boone.  Jerome Segura at MalwareBytes pointed out that the encryption service used by Blackhole ( is down.

Troels Oerting, head of the European Cybercrime Centre, an arm of Europol, has confirmed to TechWeekEurope an arrest had been made, the details of which were given to the organization.

“I know it is true, we got some information, but I cannot say anymore,” Oerting told TechWeek.

Taiwan Government sites infected and used in Wire Transfer spam mails

Be careful while visiting Taiwan Government websites , it may redirect you to BlackHole Exploit kit page.  We have discovered three infected Taiwan government websites. Initially , the infection identified by @Hulk_Crusader.

"h00p://www.tai** <- another Taiwan .gov site distributing malware. (Copies of Policies spam)" The tweet posted by the researcher reads. At EHN, i have discovered another infected government website.

The infected sites has the same URL pattern ('page-3.htm') and contains an iframe pointing to BlackHole Exploit page "podaruno**.ru".

malicious script

After quick Google search, i come to know that the infected websites are being used in a Wire Transfer Spam mail.

Good afternoon,

Your Wire Transfer Amount: USD 92,710.37
Transaction Report: View [Link_to_infected_page]
TEMIKA Heller,
The Federal Reserve Wire Network

The list of infected websites:

Now Bing image search results leads to BHEK v2- Blackhat SEO poisoning

I reported a few days ago that Google Image search result leads to BlackHole Exploit kit v2.0 page. Now, Bing Image search results also leads to malicious sites.

A quick image search in Bing for the keyword 'movie outline example' results rogue images that leads to malicious websites. The attackers use BlackHat SEO to poison the search results.

Blackhat SEO, also known as malicious SEO poisoning, occurs when hackers manipulate search engine results to make their links appear higher than legitimate results. As a user searches for related terms, the infected links appear near the top of the search results, generating a greater number of clicks to malicious websites.

According to Sophos report, Bing search results are being poisoned more than other search engines(65%). 

"Digging further into the data, it is also clear that the attackers are getting most success from poisoning image search results." Researcher said.

When i clicked one of the rogue image, i was redirected to a malicious site "zaka.uni.**" that hosts the latest version of BlackHole Exploit kit(v2.0).

'zaka' , the same keyword is used in the malicious domain used in Google Image result attack. It seems like same group is poisoning Bing search result also.

Google Image search result leads to BlackHole Exploit kit v2.0

How many of you are using the Google image search for searching your favorite picture?! Beware while searching for "Shield" image.  I have come across a new malware/infected page.

Today, I was searching for the "Shield Sword" in Google image search.  I got the above image in the result. It is my favorite image.  In fact, I've used this for creating my facebook cover image.

I have clicked the picture in order to get the full size.  I was waiting for loading image, but instead, i was landed in a page that displays "Please wait page is loading". Damn, i have seen this text everyday since i started my career as Malware analyst.  Yes, it is BlackHole Exploit Kit landing page.

Unfortunately, i am browsing from Host machine. I have disabled the Java plug-in but failed to update the other softwares.  So , my system got infected.

Once again, i have analyzed the compromised page from my Virtual Machine. The infected page "hxxp://" that contains the following script :

The script redirects to the above site which hosts the latest version of BlackHole Exploit kit v2.0.

The page is still there in the Search Result. If you a normal user try to see the picture, what will happen?! It is hard to realize they are in malware page if their anti virus failed to detect the malware.

Guess what?! The above site is not listed in Blacklisting websites. I have report about this page to google, hope they will remove it soon.

Update 1:
The infected page now redirects o another malicious page "***".

Update  2:
Today, the site redirects to another Malicious page that also hosts the BlackHole Exploit v2.0. Still there is no warning from google and no one else care about that?!

ADP spam mail leads to BlackHole Exploit kit v2.0

blackhole exploit

The news about the BlackHole Exploit kit v2.0 release spreads like a wildfire in the Internet. It seems like Cyber Criminals started to use the new version for infecting users.

A security researcher have come across a spam mail purporting to be an ADP invoice reminder which leads to BlackHole Exploit kit v2.0 landing page.

The Spam mail intercepted by Researcher:
Subject: ADP Invoice Reminder

Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

Total amount due by September 13, 2012


If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

Questions about your bill?

Contact David Nieto by Secure Mail.

Note: This is an automated email. Please do not reply.

After clicking the link provided in the mail, recipient will be redirected to the malicious page through multiple sites. At the end of redirection, the victim will be ended in this page "46.249.*.122/links/systems-links_warns.php".

It seems like the landing page of BlackHole Exploit version 2.0. In previous version of BH, you will see "main.php?page=[random_number]" at the end of url.  But the latest version use combination of meaningful words.

Once again , i like to remind the Dynamic URL feature of the BH 2.0. The generated link targets only one users which is valid for a few seconds. Yes, it is true, the above link generates 404 error at the time of researcher visit.

At the time of writing this article, the above IP is unavailable.

Today , i have analyzed three malicious IP address which uses the latest version of BlackHole Exploit.  only one IP displayed the exploits. After few seconds, that IP also start to generate 404 error page.

Blackhole exploit kit v2.0 : Good news for Cyber Criminals,bad news for AV

Paunch, the developer of BlackHole Exploit kit , has announced the new version 2.0 of the BlackHole Exploit kit. The new version claimed to have more features that makes this kit best in the market.

As far as we know, BlakHole is the most successful exploit kit which includes a collection of exploits to take advantage of vulnerability in the victim's machine to download malwares. There are plenty of other kits but BH is number one in the market because of its tremendous features.
The developer claimed that AV companies detects the old version very quickly. So in order to make their customers, they have rewritten the code of this exploit kit from scratch.

The latest version generates a dynamic URL, which is valid for a few seconds. So malware analyst can't analyze the malware page even though victims give URL details. It also protect the malware files from being downloaded multiple times.

 "JAR and PDF exploits show only for detected vulnerable versions of plug-ins if the plug is not vulnerable,exploits not issued, and not get in detection loop." The developer ad translated by Malware don't need coffee.

" In version 1. * link to malicious payload unfortunately was recognizable for AV companies and reversers, she looked this kind,. /Main.php?Varname=lgjlrewgjlrwbnvl2. The new version of the link to the malicious payload you can choose yourself, here are some examples: /news/index.php,/contacts.php and so on, now for the moment no one AV can not catch. And by default stream names when creating the flow created automatically from the dictionary with the actual words and not a random letters."

There is no change in the price.

The new features sounds great for Cyber Criminals but not for Malware analyst.

ADP Notification mail leads to BlackHole Exploit Kit

Researchers at MX Lab, started to intercept a spam mail campaign that masquerade as ADP Notification mail.The mail intercepted by researchers has subjects like "ADP Funding Notification " and "ADP Security Management Update".

The email is send from the spoofed addresses,, the email address may vary.

One of the intercepted spam mail content:
Your Transaction Report(s) have been uploaded to the web site:

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services
Once user clicks the link provided in the spam mail, he will be taken to a website which has the following script:
<h1>WAIT PLEASE</h1>
<script type=”text/javascript” src=”hxxp://”></script>
<script type=”text/javascript” src=”hxxp://”></script>
Both javascript contains same script that will redirects you to' hxxp://'.  The URL hosts BlackHole Exploit Kit which use the plugin version 0.7.8 (the latest version BlackHole Exploit kit).

BlackHole Exploit kit tries to take advantage of the vulnerability reside in the victim system. After successful exploitation, it downloads a malicious file called 'info.exe'.  The detection ratio of this malware is 2/42 (VirusTotal).

Japan Internet Service Provider, SpinNet contains malicious iframe

SpinNet, The leading Internet Service Provider in Japan, has been compromised and Executes malicious scripts, detected by Comodo's Site Inspector.

'' contains iframe pointing to the malicious domain '' which redirects to another sites.

Earlier today, 'hxxp://' redirects to malicious domain which hosts black Hole Exploit kit. At the time of writing, '' redirects to

UrlQuery detected url as SutraTDS , a Traffic Distribution Systems(TDS) package.  There are some other sites also infected by this iframe. A simple google search reveals the list of infected sites.

There are more malware domains that follows same method like, the list can be found at Sucuri Malware Labs .

"Wire Transfer Confirmations" email leads to BlackHole Exploit site

Sophos Labs intercepted a spam campaign that claim to be related to a rejected wire transfer.

Although most savvy computer users would realise that unsolicited email is unlikely to be legitimate, there are some who might be vulnerable or merely curious enough to click on the HTML attachment, not realising that it can cause problems for their PC.

When user open the The HTML attachment , it displays 'Please wait a moment. You will be forwarded...'.

In the background, an obfuscated piece of code is performing a redirect to a hijacked Russian site that hosts Blackhole, the infamous exploit kit that leverages all sorts of known vulnerabilities to serve malware.

0-day XML core services vulnerability(CVE-2012-1889) included in Blackhole exploit kit

A few weeks ago, we have published news related to vulnerability in Microsoft XML core services(CVE-2012-1889). The vulnerability is a true zero-day, being exploited in the wild, with no patch yet available from Microsoft.

Sophos researchers discovered that the exploit for this vulnerability has been added to the Blackhole exploit kit.

A new function has been added to the Blackhole exploit that targets CVE-2012-1889. The function used well-described heapspray techniques to deliver the shellcode, prior to exploiting the vulnerability in order that execution passes to that shellcode.

The shellcode is pretty straightforward, attempting to download the payload (a dll) from a remote server, writing it to the temp folder.

Emails with Subject "ADP Funding Notification – Debit Draft" leads to Exploits

Researchers at MX Lab , has intercepted some emails with the subject “ADP Funding Notification – Debit Draft” that lead to a malicious web site with obfuscated Javascript code.

The email is send from the spoofed address “” or “” and has the following body:

Your Transaction Report(s) have been uploaded to the web site:

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services
The URL will not lead you to the site that is mentioned but to hxxp:// where the following HTML code is executed:

<h1>WAIT PLEASE</h1>
<script type=”text/javascript” src=”hxxp://”></script>
<script type=”text/javascript” src=”hxxp://”></script>


Both embedded Javascript URLs will redirect you document.location=’hxxp://′; The above page contains an obfuscated javascript.

  After de-obfuscating the javascript, i found there is Blackhole exploit pack that try to exploit one of the vulnerable software(flash, pdf and other exploits). At the bottom of the page, you can find the applet code that try to exploit the Java Atomic reference vulerability.

Blackhole Exploit Kit upgraded to generate pseudo-random domains

Blackhole Exploit Kit is one of the famous Exploit Kit which is being used by Cyber Criminals for infecting innocent users through Drive-by-download.  It delivers different exploit including Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications.

Although this approach has generally been very successful for malware authors, it has had one weakness. If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.

To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains ,based on the date and other information, and then creates an iframe pointing to the generated domain.

After de-Obfuscating the javascript in the compromised pages, symantec researchers found a code that pseudo-random domains.

This code uses the setTimeout() DOM function to run a particular piece of code (the anonymous function at the bottom of the code) after half a second. This function calls the following:

  • generatePseudoRandomString() function, with a timestamp
  • 16, the desired length of the domain name
  • ru, the top-level domain name to use

The code then creates a hidden iframe, using the previously-generated domain as the source.

Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed.

Running this code in isolation, it seems that the pseudo-random domain is based on a number which is in turn based on an initial seed value, the current month and the day of the current month. When running the code at the time of writing, it returned:


By changing the date passed to the function we can determine domains that will be used in future. All domains up to 7 August of this year have been registered and all currently resolve to the same IP address. The domains, all recently registered, use private registration, such as details of the registrant not published in WHOIS.

Amazon spam email leads to Blackhole Exploit kit website

Fake amazon notification mails are hitting inboxes and trying to lure recipients into following the links that hosts Blackhole Exploit kit . The email has been spotted by GFI researchers.

The mail may look legitimate . The only thing that gives it away at first glance is the fact that multiple email addresses are included in the "To:" field, and the email is personalized for the first recipient.

The links in the email leads to various legitimate but compromised WordPress domains. Their URLs contain the following section in their syntax:


Blackhole exploit code tries to exploit the Adobe Reader &Flash , Java vulnerabilities. If you have one of the vulnerable application installed in your system, then the kit will exploit the vulnerability and infects users system.

Hackers breached MIT Server to launch cyber attack on other sites

Hackers Compromised MIT(Massachusetts Institute of Technology) Server in order to launch cyber attack on other sites.

"One MIT server (CSH-2.MIT.EDU) hosts a malicious script actively used by cyber-crooks to scan the web for vulnerable websites," BitDefender Researchers said.

The malicious script searched for vulnerable installations of phpMyAdmin, a popular Web-based database administration tool.

PHPMyAdmin is used by web developers and site administrators to connect and perform specific SQL operations over the web, such as creating, reading, updating and deleting information from the database. Our information shows that the vulnerable versions of PHPMyAdmin range from 2.5.6 to 2.8.

Once it find vulnerable version of phpMyAdmin , it launch SQL Injection attack to gain admin privileges. If the website is successfully compromised, the crawler leaves behind foler called "muieblackcat"- a mutex that acts as a mark of infection(Blackhole Exploit Pack).

BitDefender said that it tried to alert MIT about the security breach on their server, but received no reply.

According to BitDefender report the server is still online, but no longer attack any sites ." As a top level reliable domain, .edu is primarily used by educational institutions in America and other trustworthy organizations. A trackback from such a domain is a vote of confidence for an article, a blog, an entire site, or even an institution. In short, an infrastructure the size of is not only guaranteed to have huge bandwidth to carry thousands of malicious requests per second, but is also a good way to evade firewalls that obviously accept traffic from as legit." Doina Cosovan,BitDefender VirusAnalyst. is hacked and infected by Malware ~ Exploits Visitor's Broswer is hacked and infected by Malware ,detected by HackAlert 24x7 Website malware monitoring platform. If you visit the website , your system will be infected by malware without your knowledge and crash your flash player,java.


Infection Process:
if you visit , you will run the malicious javascript code.

This code generates this Iframe

and Throws out a 302 redirect to

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting with a vulnerable browsing platform will result in an infection.

Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.

Trend Micros said:
"We recently found an interesting post in a Russian underground forum in the course of our research. People exchange information about their illegal activities in these kinds of forums. We found a user in the forum with the handle ‘sourcec0de‘ and ICQ number ’291149′ who is currently offering root access to some of the cluster servers of and its subdomains.

The price for each access starts at $3,000 USD, with the exchange of money/access being provided by the well known garant/escrow system, whereby a trusted third party verifies both sides of the transaction."

The website is as of now, still serving this exploit and malware. trying to contact