Friday, October 19, 2012

Black Hole Exploit Kit 2 (BHEK) summary

This post is just to summarize some quick facts about the problematic BHEK v2.  Why problematic?  Well this version of exploit kit has risen the bar in sophistication and is harder to detect, defend and find.  It's currently driving many of us on the threat ops and intel side crazy so the sharing of information is paramount.

Here is a roundup of data and analysis on BHEKv2:

Great write-up via spider labs

Malware don't sleep (inside BHEK v2)

Excellent analysis by Malware Must Die!

Great analysis by Mila

Download BHEK v2 (partial pack)

Snort signatures:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"EXPLOIT-KIT Blackhole possible email Landing to 8 chr folder"; flow:to_server,established; content:"href=|22|http|3A 2F 2F|"; content:"/index.html|22|"; within:50; pcre:"/\x2f[a-z0-9]{8}\x2findex\.html\x22/msi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:24171; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:4;)

List of BHEKv2 compromised domains (from contagio):

Target Email URLS (from contagio):
http://arksylhet. com/A67iD4eo/index. html
http://arksylhet. com/QSpUShbL/index. html
http://badshahpromotions. co. uk/zpVjiR/index. html
http://centroedusantaterezinha. org/foRHmF8/index. html
http:///Wjn56cM6/index. html
http://chambe-aix. com/yCkWRN/index. html
http://chambe-aix. com/yYiD9SAs/index. html
http://colombianfashion. com/Mt1T26/index. html
http://curatatorie-sibiu. ro/fbwoGoYB/index. html
http://curatatorie-sibiu. ro/QeHis8s/index. html
http://davidicke. pl/0qaSfRv/index. html
http://davidicke. pl/mZbkMz/index. html
http://davidicke. pl/x1s0xB8z/index. html
http://domaister. com/LD2nAc/index. html
http://dpwparking. com/PYG35et/index. html
http://ecoaction21. fr/QBA8Re4S/index. html
http://estetiqueroman. ro/KD31RjXc/index. html
http://fengshuitonight. com/JTARZz/index. html
http://fengshuitonight. com/vRNXQq/index. html
http://ferretsac. com/wBbsvpF/index. html
http://ferretsac. com/wc4hACm/index. html
http://ferretsac. com/z7ShYa3/index. html
http://firetowerguard. com/AEuifWY/index. html
http://groupe-cmb. com/JWBpK7qd/index. html
http://groupe-cmb. com/ukKmLYf0/index. html
http://groupe-cmb. com/zc0XNMxZ/index. html
http://hmlanding. com/60QuVZQ/index. html
http://innovahogar. es/4oRnMr/index. html
http://innovahogar. es/V2dSnzdv/index. html
http://innovahogar. es/ZUCufHc/index. html
http://jusprev. org. br/aZhDGJ1e/index. html
http://justwebdesign. co. za/X1dWrR/index. html
http://karpar. gr/mMDBNKhE/index. html
http://karpar. gr/yoTkZUm0/index. html
http://karpar. gr/yUyj1crG/index. html
http://lehoapaper. com/hUvbnijs/index. html
http://muzee. org/AA9njNS/index. html
http://nailtaxi. com/yjgSuE/index. html
http://onewaytransportproducts. com/auVejpR/index. html
http://sloanegroup. com/1n70Gvt/index. html
http://sv. thanmadailuc. com/9vy1FW/index. html
http://sv. thanmadailuc. com/UotPEhM/index. html
http://sv. thanmadailuc. com/x4MSyKCz/index. html
http://trends-und-freizeit. de/4UDFo4/index. html
http://ukhs. dk/ZjUP5CCZ/index. html
http://wnyportal. com/cKodnh/index. html
http://justwebdesign. co. za/X1dWrR/index. html