Friday, October 19, 2012

Black Hole Exploit Kit 2 (BHEK) summary


This post is just to summarize some quick facts about the problematic BHEK v2.  Why problematic?  Well this version of exploit kit has risen the bar in sophistication and is harder to detect, defend and find.  It's currently driving many of us on the threat ops and intel side crazy so the sharing of information is paramount.

Here is a roundup of data and analysis on BHEKv2:

Great write-up via spider labs
http://blog.spiderlabs.com/2012/09/blackhole-exploit-kit-v2.html

Malware don't sleep (inside BHEK v2)
http://malware.dontneedcoffee.com/2012/09/behind-captcha-or-inside-blackhole.html

Excellent analysis by Malware Must Die!
http://malwaremustdie.blogspot.jp/2012/09/following-lead-of-suspected-blackhole2.html

Great analysis by Mila
http://contagiodump.blogspot.fr/2012/09/cve-2012-4681-samples-original-apt-and.html

Download BHEK v2 (partial pack)
http://contagio.deependresearch.org/files/Blackhole2files.zip

Snort signatures:

SOURCEFIRE SNORT
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"EXPLOIT-KIT Blackhole possible email Landing to 8 chr folder"; flow:to_server,established; content:"href=|22|http|3A 2F 2F|"; content:"/index.html|22|"; within:50; pcre:"/\x2f[a-z0-9]{8}\x2findex\.html\x22/msi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:24171; rev:1; )
EMERGING THREATS
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:4;)


List of BHEKv2 compromised domains (from contagio):
arksylhet.com
badshahpromotions.co.uk
centroedusantaterezinha.org
chambe-aix.com
colombianfashion.com
curatatorie-sibiu.ro
davidicke.pl
domaister.com
dpwparking.com
ecoaction21.fr
estetiqueroman.ro
fengshuitonight.com
ferretsac.com
firetowerguard.com
groupe-cmb.com
hmlanding.com
innovahogar.es
jusprev.org.br
justwebdesign.co.za
karpar.gr
lehoapaper.com
muzee.org
nailtaxi.com
onewaytransportproducts.com
sloanegroup.com
sv.thanmadailuc.com
trends-und-freizeit.de
ukhs.dk
wnyportal.com
www.golfer360.de

Target Email URLS (from contagio):
http://arksylhet. com/A67iD4eo/index. html
http://arksylhet. com/QSpUShbL/index. html
http://badshahpromotions. co. uk/zpVjiR/index. html
http://centroedusantaterezinha. org/foRHmF8/index. html
http:///Wjn56cM6/index. html
http://chambe-aix. com/yCkWRN/index. html
http://chambe-aix. com/yYiD9SAs/index. html
http://colombianfashion. com/Mt1T26/index. html
http://curatatorie-sibiu. ro/fbwoGoYB/index. html
http://curatatorie-sibiu. ro/QeHis8s/index. html
http://davidicke. pl/0qaSfRv/index. html
http://davidicke. pl/mZbkMz/index. html
http://davidicke. pl/x1s0xB8z/index. html
http://domaister. com/LD2nAc/index. html
http://dpwparking. com/PYG35et/index. html
http://ecoaction21. fr/QBA8Re4S/index. html
http://estetiqueroman. ro/KD31RjXc/index. html
http://fengshuitonight. com/JTARZz/index. html
http://fengshuitonight. com/vRNXQq/index. html
http://ferretsac. com/wBbsvpF/index. html
http://ferretsac. com/wc4hACm/index. html
http://ferretsac. com/z7ShYa3/index. html
http://firetowerguard. com/AEuifWY/index. html
http://groupe-cmb. com/JWBpK7qd/index. html
http://groupe-cmb. com/ukKmLYf0/index. html
http://groupe-cmb. com/zc0XNMxZ/index. html
http://hmlanding. com/60QuVZQ/index. html
http://innovahogar. es/4oRnMr/index. html
http://innovahogar. es/V2dSnzdv/index. html
http://innovahogar. es/ZUCufHc/index. html
http://jusprev. org. br/aZhDGJ1e/index. html
http://justwebdesign. co. za/X1dWrR/index. html
http://karpar. gr/mMDBNKhE/index. html
http://karpar. gr/yoTkZUm0/index. html
http://karpar. gr/yUyj1crG/index. html
http://lehoapaper. com/hUvbnijs/index. html
http://muzee. org/AA9njNS/index. html
http://nailtaxi. com/yjgSuE/index. html
http://onewaytransportproducts. com/auVejpR/index. html
http://sloanegroup. com/1n70Gvt/index. html
http://sv. thanmadailuc. com/9vy1FW/index. html
http://sv. thanmadailuc. com/UotPEhM/index. html
http://sv. thanmadailuc. com/x4MSyKCz/index. html
http://trends-und-freizeit. de/4UDFo4/index. html
http://ukhs. dk/ZjUP5CCZ/index. html
http://wnyportal. com/cKodnh/index. html
http://justwebdesign. co. za/X1dWrR/index. html


1 comment:

Travis Schack said...

On 10/2/12, Sourcefire disabled the signature that you refer to on your blog. Looking into why.