Blackhole exploit: For those wondering

Discussions of all Adware-Spyware-Malware related topics to include all security products users may have concerns with.

Moderators: Admin Team, Moderators

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Blackhole exploit: For those wondering

Postby MysteryFCM » Mon Dec 05, 2011 4:02 pm

Blackhole exploit: For those wondering

For those wondering and not yet aware. The latest incarnations coming via e-mail have changed MO - the link to the exploit itself, isn't directly in the e-mail anymore. Instead, it goes via;

1. Site A
2. 4 x MITMs
5. Exploit site

In this case;

Code: Select all

cadcamengineers.com/6ebc21/index.html
-> napaul.com/statcounters.js
-> proplastics.rs/statcounters.js
-> rodns.eu/statcounters.js
-> sashandbow.com.au/statcounters.js
--> twistloft.com/main.php?page=111d937ec38dd17e


cadcamengineers.com
    -> 75.125.218.230 - Resolution failed
    -> AS21844 75.125.0.0/16 THEPLANET-AS - ThePlanet.com Internet Services, Inc.
twistloft.com
    -> 65.254.63.228 - Resolution failed
    -> AS3595 65.254.48.0/20 GNAXNET-AS - Global Net Access, LLC
napaul.com
    -> 202.191.61.93 - hubble.websiteactive.com
    -> AS24446 202.191.60.0/22 NETREGISTRY-AS-AP NetRegsitry Pty Ltd.
proplastics.rs
    -> 217.26.70.100 - bender.verat.net
    -> AS15982 217.26.64.0/20 VERAT-AS-1 Drustvo za telekomunikacije Verat d.o.o, Bulevar Vojvode Misica 37
rodns.eu
    -> 85.9.19.61 - 61.19.9.85.clausweb.ro
    -> AS5606 85.9.0.0/18 KQRO GTS Telecom SRL
sashandbow.com.au
    -> 70.87.76.162 - vanquish.websitewelcome.com
    -> AS21844 70.84.0.0/14 THEPLANET-AS - ThePlanet.com Internet Services, Inc.


Presumably, this is an effort at redundancy, to ensure it still delivers when one of the MITMs is down.


http://hphosts.blogspot.com/2011/12/bla ... ering.html

Blackhole exploit: For those wondering, Part 2

I received a comment to the 2009 blog. This one houses a variation of the MO used that I outlined in part 1 (was not going to be a part 2, but it's got a few changes that warranted it).

The MO in this case, is;

1. Site A
2. Exploit

There's no MITMs this time. There's also a slight change in the code used on the exploit page itself, though curiously, it's even easier to decode than the last one (only 3 lines needing commented out this time).


http://hphosts.blogspot.com/2011/12/bla ... ng_05.html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mindblower
Countermeasures Agent
Countermeasures Agent
Posts: 271
Joined: Fri Sep 02, 2005 8:33 am
Area Of Expertise: More tinkering in hardware than software
experience: I know the functions, OS settings, registry tweaks and more
PC time: Alot more than I should
Location: Montreal, Canada
Contact:

Re: Blackhole exploit: For those wondering

Postby Mindblower » Tue Dec 06, 2011 4:18 pm

Hello MysteryFCM. For those lay folks like myself, could you put it into simpler terms. Thanks, Mindblower!
A converted Windows 8 user (using third party programs to ease the transition)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Blackhole exploit: For those wondering

Postby MysteryFCM » Tue Dec 06, 2011 4:29 pm

What were you wanting to know?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mindblower
Countermeasures Agent
Countermeasures Agent
Posts: 271
Joined: Fri Sep 02, 2005 8:33 am
Area Of Expertise: More tinkering in hardware than software
experience: I know the functions, OS settings, registry tweaks and more
PC time: Alot more than I should
Location: Montreal, Canada
Contact:

Re: Blackhole exploit: For those wondering

Postby Mindblower » Tue Dec 06, 2011 5:43 pm

If you need to ask, I'm miles below your level, Mindblower!
A converted Windows 8 user (using third party programs to ease the transition)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Blackhole exploit: For those wondering

Postby MysteryFCM » Tue Dec 06, 2011 5:49 pm

lol will be my fault - I've never been good at explaining things.

Essentially, the blogs describe how to decode the JS used by the blackhole exploit, in order to go straight to the payload for each site (f var seems to be becoming specific to each site, rather than previously where the same var could be used for every site it housing it), for those that either don't have a spare machine available to run it, or simply have no need to run it (given we already know what the BH exploits actually do), or of course, just want to see the actual code itself.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mindblower
Countermeasures Agent
Countermeasures Agent
Posts: 271
Joined: Fri Sep 02, 2005 8:33 am
Area Of Expertise: More tinkering in hardware than software
experience: I know the functions, OS settings, registry tweaks and more
PC time: Alot more than I should
Location: Montreal, Canada
Contact:

Re: Blackhole exploit: For those wondering

Postby Mindblower » Wed Dec 07, 2011 4:41 am

Thanks. You can make it simpler after all. Much appreciated, Mindblower! chrz
A converted Windows 8 user (using third party programs to ease the transition)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Blackhole exploit: For those wondering

Postby MysteryFCM » Wed Dec 07, 2011 5:48 am

My pleasure :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Blackhole exploit: For those wondering

Postby MysteryFCM » Fri Dec 09, 2011 12:00 am

Blackhole exploit: For those wondering, Part 3 - Fake Facebook e-mail

This one came in an e-mail claiming to be from Facebook, with the usual social engineering rubbish;

Code: Select all

facebook <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>
Hi,
You haven't been back to Facebook recently.You have received notifications while you were gone.
 <http://static.ak.fbcdn.net/rsrc.php/v1/yS/r/I-6WhcLLGrb.gif> 1 message <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271> <http://static.ak.fbcdn.net/rsrc.php/v1/yk/r/jqa4zOmDxSP.gif> 2 friend requests <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>
Thanks,
The Facebook Team
Sign in to Facebook and start connecting
Sign in <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>

To log in to Facebook, follow the link below:
http://www.facebook.com/n/?find-friends%2F&mid=4131bdcG5af38cf3b00cG0G2b&bcode=BoDkTqHx&n_m=redc-mosul%40imfi.org <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>
 <http://www.facebook.com/email_open_log_pic.php?mid=4131bdcG5af38cf3b00cG0G2b>
If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, you can unsubscribe <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271> .
Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303



Or for those of you using HTML e-mail (naughty naughty!);


http://hphosts.blogspot.com/2011/12/bla ... ng_08.html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Blackhole exploit: For those wondering

Postby MysteryFCM » Fri Dec 09, 2011 2:10 pm

Blackhole exploit: For those wondering, Part 4 - Now its Amazons turn

This one came in whilst I was asleep, no JS MITMs this time, just the link in the e-mail that uses a meta refresh to redirect you to the domain housing the Blackhole exploit itself;

Code: Select all

Hello,

Shipping Confirmation
Order # 651-5411744-0155168 <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html>

Your estimated delivery date is:
Tuesday, December 13, 2011

Track your package <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> on Amazon.com <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> .

Shipment Details

Omron WFB-387U Fat Loss Monitor, Black $129.95
Item Subtotal: $129.95
Shipping & Handling: $0.00
Total Before Tax: $129.95
Shipment Total: $129.95
Paid by Visa: $129.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> .

We hope to see you again soon!
Amazon.com


http://hphosts.blogspot.com/2011/12/bla ... _3980.html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!


Return to “Countermeasures Discussions\News”

Who is online

Users browsing this forum: No registered users and 1 guest