Thursday, October 4, 2012

Blackhole 2 exploit kit (partial pack) and ZeroAccess (user-mode memory resident version)


 This post is an addtion to the DeepEnd Research post Blackhole & Cridex: Season 2 Episode 1: Intuit Spam & SSL traffic analysis by Andre DiMino about the Blackhole 2 exploit pack and Cridex trojan alliance.

Here is for download a partial Blackhole 2 exploit pack. This pack has been shared with me a few times over the past couple of weeks as researchers discovered an blackhole server with open directories. While it is missing a few crucial files, it is still provides insight into the pack components, exploits, and structure.

The list of files in the pack are listed below. 16 files are zero in size (not on purpose, that's all I have) and are there just for your information. The zero size files are listed in the separate list below (in addition to being in the main list). The files and data directories contain the exploits ( cve-2012-1723, cve-2012-0507, cve-2010-1885, cve-2012-4681, cve-2010-0188) and the payload (ZeroAccess  among other malware, which is memory resident rootkit (thus no 'dropped', created files for ZeroAccess in the package, only the original dropper and all kinds of files genereated by the clickfraud component. Use Volatility or Redline/Memorize for analysis)
This captcha component of this pack was reviewed by
Behind the Captcha or Inside Blackhole Exploit Kit 2.0 - Exploit Kit Administration Panel (Malware Don't Need Coffee).

 Malware Must Die analysts have been tracking Blackhole 2 as well


Download


Download Blackhole 2 exploit kit - partial pack ( email me if you need the password)
 Download ZeroAccess sample with pcap ( email me if you need the password)

List of files


List of files



These files are 0 bytes
api.php
bhstat.php
browser.php
config.php
cron_check.php
cron_checkdomains.php
cron_updatetor.php
db.php
files.php
js.php
lang.php
logs.php
referers_bstat.php
sc.php
template.php
threads.php


ZeroAccess file information

 This version of Zeroaccess does not user kernel mode drivers and is completely memory resident. It is very well described here

Clickserver component is present in this version - just like desribed in the ethicalhackers.info article above, with a very high volume peer to peer UDP and clickfraud traffic. The pcap files are in the analysis package for download above.


Traffic conversations over 7 minute period (over 300 advertising and shopping websites)

204.246.175.161    <->    192.168.106.131
192.168.106.131    <->    108.161.187.128
199.48.130.115    <->    192.168.106.131
192.168.106.131    <->    108.166.200.6
192.168.106.131    <->    184.82.24.134
192.168.106.131    <->    184.84.79.139
192.168.106.131    <->    74.125.228.124
192.168.106.131    <->    69.167.130.41
192.168.106.131    <->    82.15.9.23
192.168.106.131    <->    23.15.8.49
192.168.106.131    <->    74.125.228.101
192.168.106.131    <->    66.45.56.124
192.168.106.131    <->    31.184.245.120
192.168.106.131    <->    173.241.242.19
192.168.106.131    <->    81.17.18.18
192.168.106.131    <->    74.125.228.105
192.168.106.131    <->    74.125.228.123
192.168.106.131    <->    74.125.228.111
192.168.106.131    <->    31.184.244.180
192.168.106.131    <->    72.172.76.147
192.168.106.131    <->    23.23.221.221
199.7.55.190    <->    192.168.106.131
192.168.106.131    <->    95.211.193.31
199.115.115.136    <->    192.168.106.131
199.115.119.13    <->    192.168.106.131
192.168.106.131    <->    66.85.130.234
192.168.106.131    <->    91.242.217.247
192.168.106.131    <->    78.138.127.91
192.168.106.131    <->    50.56.71.127
192.168.106.131    <->    50.22.196.70
208.91.207.10    <->    192.168.106.131
192.168.106.131    <->    77.38.231.158
192.168.106.131    <->    23.28.85.244
192.168.106.131    <->    97.84.153.254
192.168.106.131    <->    46.51.106.88
192.168.106.131    <->    71.60.166.81
192.168.106.131    <->    178.118.157.100
192.168.106.131    <->    94.240.206.253
213.254.65.254    <->    192.168.106.131
192.168.106.131    <->    27.4.224.250
192.168.106.131    <->    188.140.25.248
192.168.106.131    <->    79.117.106.180
192.168.106.131    <->    35.24.7.218
192.168.106.131    <->    62.194.102.30
192.168.106.131    <->    62.42.156.68
192.168.106.131    <->    186.191.31.15
192.168.106.131    <->    75.69.60.61
192.168.106.131    <->    174.60.155.33
192.168.106.131    <->    69.132.12.47
192.168.106.131    <->    24.237.97.6
192.168.106.131    <->    98.185.56.2
192.168.106.131    <->    151.97.52.41
192.168.106.131    <->    80.99.172.35
192.168.106.131    <->    64.53.160.8
192.168.106.131    <->    24.177.160.32
192.168.106.131    <->    95.105.33.122
192.168.106.131    <->    14.96.175.20
213.114.133.252    <->    192.168.106.131
192.168.106.131    <->    46.246.253.254
192.168.106.131    <->    14.97.234.253
192.168.106.131    <->    174.73.121.250
192.168.106.131    <->    67.191.216.248
192.168.106.131    <->    24.201.250.35
192.168.106.131    <->    79.252.253.254
192.168.106.131    <->    88.254.253.254
192.168.106.131    <->    77.20.11.250
192.168.106.131    <->    117.198.90.217
192.168.106.131    <->    91.224.118.23
192.168.106.131    <->    85.238.66.247
192.168.106.131    <->    27.252.253.254
192.168.106.131    <->    98.251.253.254
192.168.106.131    <->    89.18.29.242
192.168.106.131    <->    78.250.253.254
192.168.106.131    <->    184.253.253.254
192.168.106.131    <->    180.253.253.254
192.168.106.131    <->    88.134.163.247
192.168.106.131    <->    98.185.61.35
192.168.106.131    <->    188.59.32.14
192.168.106.131    <->    173.217.170.90
192.168.106.131    <->    78.251.204.239
192.168.106.131    <->    75.118.98.244
192.168.106.131    <->    95.160.221.57
192.168.106.131    <->    103.2.134.49
192.168.106.131    <->    74.210.136.39
192.168.106.131    <->    151.100.40.30
201.210.194.240    <->    192.168.106.131
192.168.106.131    <->    68.55.129.10
192.168.106.131    <->    12.53.117.237
212.8.125.246    <->    192.168.106.131
192.168.106.131    <->    85.86.55.242
192.168.106.131    <->    68.96.51.72
192.168.106.131    <->    31.16.216.244
192.168.106.131    <->    115.240.7.35
192.168.106.131    <->    14.99.81.243
192.168.106.131    <->    77.250.182.144
192.168.106.131    <->    81.248.253.254
203.247.253.254    <->    192.168.106.131
197.247.253.254    <->    192.168.106.131
192.168.106.131    <->    79.247.253.254
192.168.106.131    <->    101.62.114.39
192.168.106.131    <->    90.169.44.237
192.168.106.131    <->    95.160.54.9
192.168.106.131    <->    186.207.244.249
192.168.106.131    <->    68.103.243.11
192.168.106.131    <->    66.68.31.248
192.168.106.131    <->    128.73.132.250
192.168.106.131    <->    188.24.91.251
192.168.106.131    <->    85.122.18.39
192.168.106.131    <->    116.73.70.3
192.168.106.131    <->    140.134.148.108
192.168.106.131    <->    173.26.66.161
192.168.106.131    <->    71.195.47.8
192.168.106.131    <->    109.55.200.235
192.168.106.131    <->    190.46.180.4
192.168.106.131    <->    31.19.128.234
192.168.106.131    <->    190.207.142.98
192.168.106.131    <->    98.209.145.4
192.168.106.131    <->    116.43.5.90
219.70.146.244    <->    192.168.106.131
192.168.106.131    <->    68.14.18.245
192.168.106.131    <->    27.4.208.247
192.168.106.131    <->    71.82.68.247
192.168.106.131    <->    176.237.213.0
192.168.106.131    <->    114.76.237.4
192.168.106.131    <->    89.137.229.45
192.168.106.131    <->    77.20.45.252
192.168.106.131    <->    74.88.107.248
192.168.106.131    <->    81.105.95.2
192.168.106.131    <->    24.211.120.73
192.168.106.131    <->    75.176.191.112
192.168.106.131    <->    78.49.141.38
192.168.106.131    <->    46.42.233.237
192.168.106.131    <->    64.233.153.35
192.168.106.131    <->    99.34.88.250
192.168.106.131    <->    74.194.68.8
192.168.106.131    <->    77.240.64.244
192.168.106.131    <->    69.205.6.245
192.168.106.131    <->    174.0.130.16
192.168.106.131    <->    109.236.84.153
195.67.210.11    <->    192.168.106.131
192.168.106.131    <->    86.121.132.7
192.168.106.131    <->    82.245.217.201
192.168.106.131    <->    188.26.162.164
192.168.106.131    <->    67.177.101.250
192.168.106.131    <->    189.18.168.253
192.168.106.131    <->    88.199.37.252
192.168.106.131    <->    98.70.39.46
210.218.142.2    <->    192.168.106.131
192.168.106.131    <->    72.197.238.9
192.168.106.131    <->    86.100.53.253
192.168.106.131    <->    77.81.61.4
192.168.106.131    <->    24.14.160.233
192.168.106.131    <->    50.137.225.48
192.168.106.131    <->    2.93.62.254
192.168.106.131    <->    98.196.126.245
192.168.106.131    <->    85.84.4.246
192.168.106.131    <->    49.249.126.246
192.168.106.131    <->    90.230.250.244
192.168.106.131    <->    46.249.100.253
192.168.106.131    <->    92.226.101.249
192.168.106.131    <->    159.149.37.253
192.168.106.131    <->    14.97.162.248
192.168.106.131    <->    95.223.190.237
192.168.106.131    <->    76.175.239.241
192.168.106.131    <->    176.205.9.236
192.168.106.131    <->    75.141.211.48
192.168.106.131    <->    84.122.83.24
192.168.106.131    <->    115.242.36.230
192.168.106.131    <->    46.211.193.50
192.168.106.131    <->    88.229.245.251
217.129.135.254    <->    192.168.106.131
192.168.106.131    <->    46.55.80.19
192.168.106.131    <->    71.7.201.13
192.168.106.131    <->    89.212.207.233
192.168.106.131    <->    65.188.152.236
192.168.106.131    <->    71.180.98.36
192.168.106.131    <->    91.64.27.47
192.168.106.131    <->    68.193.169.116
192.168.106.131    <->    46.121.42.245
212.10.148.43    <->    192.168.106.131
192.168.106.131    <->    75.141.252.53
192.168.106.131    <->    58.7.153.21
192.168.106.131    <->    189.79.206.79
192.168.106.131    <->    81.111.161.35
192.168.106.131    <->    187.39.36.41
192.168.106.131    <->    89.228.96.82
192.168.106.131    <->    79.112.19.116
192.168.106.131    <->    86.121.64.76
192.168.106.131    <->    98.239.144.53
192.168.106.131    <->    77.70.31.17
192.168.106.131    <->    124.123.52.236
192.168.106.131    <->    189.15.39.7
192.168.106.131    <->    85.225.215.144
192.168.106.131    <->    83.233.16.2
192.168.106.131    <->    79.132.174.235
192.168.106.131    <->    72.0.185.0
192.168.106.131    <->    97.92.50.231
192.168.106.131    <->    79.6.125.243
192.168.106.131    <->    94.21.61.40
192.168.106.131    <->    187.244.152.7
192.168.106.131    <->    151.74.55.1
192.168.106.131    <->    72.14.71.241
192.168.106.131    <->    87.18.19.41
192.168.106.131    <->    14.99.192.21
192.168.106.131    <->    188.25.231.62
192.168.106.131    <->    95.6.5.251
192.168.106.131    <->    14.96.218.0
192.168.106.131    <->    78.90.183.253
192.168.106.131    <->    190.206.159.252
192.168.106.131    <->    76.178.184.21
192.168.106.131    <->    87.7.193.51
192.168.106.131    <->    24.117.236.23
192.168.106.131    <->    68.83.236.23
192.168.106.131    <->    186.95.64.17
192.168.106.131    <->    78.97.13.29
192.168.106.131    <->    117.201.225.48
192.168.106.131    <->    76.118.17.73
192.168.106.131    <->    14.97.231.249
192.168.106.131    <->    98.211.249.252
192.168.106.131    <->    139.78.46.252
192.168.106.131    <->    24.124.106.2
192.168.106.131    <->    88.251.253.254
192.168.106.131    <->    95.111.72.251
208.123.10.244    <->    192.168.106.131
192.168.106.131    <->    190.2.202.243
192.168.106.131    <->    71.82.51.244
192.168.106.131    <->    68.83.141.251
192.168.106.131    <->    98.214.226.249
192.168.106.131    <->    79.117.117.241
192.168.106.131    <->    184.155.127.16
192.168.106.131    <->    78.251.156.5
192.168.106.131    <->    79.112.31.73
192.168.106.131    <->    88.150.8.14
201.213.190.66    <->    192.168.106.131
192.168.106.131    <->    14.96.149.254
192.168.106.131    <->    27.6.48.234
192.168.106.131    <->    24.254.152.240
192.168.106.131    <->    46.130.65.254
192.168.106.131    <->    182.237.12.241
192.168.106.131    <->    124.197.74.6
192.168.106.131    <->    95.246.253.254
192.168.106.131    <->    164.246.253.254
192.168.106.131    <->    180.246.253.254
197.200.87.17    <->    192.168.106.131
192.168.106.131    <->    180.235.178.250
192.168.106.131    <->    109.52.166.251
192.168.106.131    <->    115.242.59.69
192.168.106.131    <->    189.94.72.5
192.168.106.131    <->    81.214.152.9
192.168.106.131    <->    78.251.80.87
192.168.106.131    <->    173.23.253.246
192.168.106.131    <->    114.79.132.253
192.168.106.131    <->    24.178.139.42
192.168.106.131    <->    69.76.49.46
192.168.106.131    <->    1.23.142.104
192.168.106.131    <->    178.149.26.254
192.168.106.131    <->    187.11.182.248
192.168.106.131    <->    2.177.70.86
192.168.106.131    <->    141.89.85.70
192.168.106.131    <->    94.182.247.5
192.168.106.131    <->    117.200.22.252
192.168.106.131    <->    83.233.218.252
192.168.106.131    <->    122.50.233.250
192.168.106.131    <->    98.196.147.32
192.168.106.131    <->    116.202.132.9
192.168.106.131    <->    84.108.165.13
192.168.106.131    <->    183.83.72.244
192.168.106.131    <->    142.217.30.247
192.168.106.131    <->    78.251.53.2
192.168.106.131    <->    190.239.206.49
192.168.106.131    <->    86.100.204.35
192.168.106.131    <->    84.40.166.35
192.168.106.131    <->    65.27.171.16
192.168.106.131    <->    77.8.88.253
192.168.106.131    <->    83.211.47.36
192.168.106.131    <->    2.193.86.67
192.168.106.131    <->    190.46.187.65
192.168.106.131    <->    76.171.103.43
192.168.106.131    <->    190.202.217.241
192.168.106.131    <->    115.240.241.51
192.168.106.131    <->    80.30.162.121
192.168.106.131    <->    115.242.166.78
192.168.106.131    <->    115.240.69.14
192.168.106.131    <->    88.222.186.29
192.168.106.131    <->    24.31.213.239
192.168.106.131    <->    114.143.53.247
192.168.106.131    <->    79.180.24.254
192.168.106.131    <->    87.168.109.8
206.248.97.129    <->    192.168.106.131
192.168.106.131    <->    180.151.58.75
192.168.106.131    <->    188.129.90.251
192.168.106.131    <->    49.128.164.56
192.168.106.131    <->    122.163.227.242
192.168.106.131    <->    80.11.182.243
192.168.106.131    <->    41.174.11.247
192.168.106.131    <->    31.185.116.247
192.168.106.131    <->    173.241.188.247
192.168.106.131    <->    89.206.14.167
192.168.106.131    <->    77.21.57.57
192.168.106.131    <->    24.148.136.125

Domain list

5565.mnstr3.com
a0.twimg.com
ad.doubleclick.net
ads.adbrite.com
ads.footar.com
ads.pubmatic.com
ads.rubiconproject.com
apis.google.com
cdn.crowdignite.com
cdn.mydailymoment.com
cdn1.dailyrx.com
cdn2.dailyrx.com
cdn3.dailyrx.com
certificates.godaddy.com
clickga.com
clk.relestar.com
cm.g.doubleclick.net
connect.facebook.net
continella.com
crl.geotrust.com
crl.godaddy.com
edge.quantserve.com
ib.adnxs.com
image3.pubmatic.com
mpd.mxptint.net
optimized-by.rubiconproject.com
ox-d.patientconversation.com
p.hgcdn.net
pixel.quantserve.com
pixel.rubiconproject.com
ptrack.pubmatic.com
r.openx.net
r1.ace.advertising.com
redirect.ad-feeds.com
redirect.xmladfeed.com
relecart.relestar.com
relestar.com
s0.2mdn.net
search.twitter.com
static-cf-1.hgcdn.net
tap2-cdn.rubiconproject.com
thor.dailyrx.com
uac.advertising.com
websking.com
widget.crowdignite.com
widgets.twimg.com
www.dailyrx.com
www.ffog.net
www.google-analytics.com
www.google-analytics.com
www.gstatic.com
www.lifescript.com
www.relestar.com
www1.chooseyourdiet.com



Automatic scans

ZeroAccess fdc7aaf4a3
https://www.virustotal.com/file/37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453/analysis/
VirusTotal
SHA256:     b4e1acb0cfb95a075ac4b8a3304b43aa3265d2fdafb9fef3f8dd09abcbcc33a3
SHA1:     fbc15c6494f14b44a324b778ad825e822ddcce0a
MD5:     3169969e91f5fe5446909bbab6e14d5d
File size:     157.0 KB ( 160768 bytes )
File name:     fdc7aaf4a3
File type:     Win32 EXE
Detection ratio:     32 / 44
Analysis date:     2012-10-04 17:34:51 UTC ( 0 minutes ago )
More details
Antivirus     Result     Update
AhnLab-V3     Win-Trojan/Malpacked6.Gen     20121003
AntiVir     TR/Rogue.KD.735782     20121003
Antiy-AVL     -     20121002
Avast     Win32:Sirefef-ALR [Trj]     20121003
AVG     ZeroAccess.GV     20121003
BitDefender     Trojan.Generic.KD.735782     20121003
CAT-QuickHeal     Backdoor.ZAccess.ylx     20121002
Comodo     UnclassifiedMalware     20121003
DrWeb     Trojan.DownLoader6.57621     20121003
Emsisoft     -     20120919
ESET-NOD32     Win32/Sirefef.EV     20121003
F-Secure     Trojan.Generic.KD.735782     20121003
Fortinet     W32/ZAccess.VARC!tr     20121003
GData     Trojan.Generic.KD.735782     20121003
Ikarus     Trojan.ZeroAccess     20121003
Jiangmin     Backdoor/ZAccess.fas     20121002
K7AntiVirus     Backdoor     20121002
Kaspersky     Backdoor.Win32.ZAccess.ylx     20121003
Kingsoft     Win32.Troj.Generic.kd.(kcloud)     20120925
McAfee     ZeroAccess.hg     20121003
McAfee-GW-Edition     ZeroAccess.hg     20121003
Microsoft     Trojan:Win32/Sirefef.P     20121003
MicroWorld-eScan     Trojan.Generic.KD.735782     20121003
Norman     W32/Troj_Generic.EEVPB     20121003
nProtect     Trojan/W32.Agent.160768.LV     20121003
PCTools     Trojan.Zeroaccess     20121003
Rising     -     20120928
Sophos     Mal/EncPk-ACO     20121003
SUPERAntiSpyware     -     20120911
Symantec     Trojan.Zeroaccess.C     20121003
TheHacker     Backdoor/ZAccess.ylx     20121001
TotalDefense     Win32/Sirefef.KH     20121003

TrendMicro-HouseCall     TROJ_GEN.RCBH2IO     20121003
VBA32     -     20121003
VIPRE     Trojan.Win32.Generic!BT     20121003
ViRobot     Backdoor.Win32.A.ZAccess.160768.N     20121003

https://www.virustotal.com/file/f7fca74812707ec4b10b2302b8bb2a94a979f6b4d47c5557cea98f975efb1cec/analysis/
554-0002.exe
SHA256:     f7fca74812707ec4b10b2302b8bb2a94a979f6b4d47c5557cea98f975efb1cec
SHA1:     811c70ee4f61537c10a844f43ea31d309b8c95d7
MD5:     b51c93fb8d8e55d1eb935c1ed5a749f7
File size:     371.5 KB ( 380416 bytes )
File name:     b51c93fb8d8e55d1eb935c1ed5a749f7
File type:     Win32 EXE
Tags:     peexe armadillo
Detection ratio:     26 / 42
Analysis date:     2012-09-25 18:13:44 UTC ( 1 week, 1 day ago )
More details
Antivirus     Result     Update
Agnitum     -     20120925
AhnLab-V3     Trojan/Win32.FakeAV     20120925
AntiVir     TR/FakeSysdef.A.1620     20120925
Antiy-AVL     -     20120924
Avast     Win32:FakeSysdef-PX [Trj]     20120925
AVG     Generic29.BNBL     20120925
BitDefender     Trojan.Generic.KDV.736486     20120925
ByteHero     -     20120918
CAT-QuickHeal     -     20120925
ClamAV     -     20120925
Commtouch     -     20120925
Comodo     UnclassifiedMalware     20120925
DrWeb     Trojan.Fakealert.33688     20120925
Emsisoft     -     20120919
ESET-NOD32     a variant of Win32/Kryptik.AMCO     20120925
F-Prot     -     20120925
F-Secure     Trojan.Generic.KDV.736486     20120925
Fortinet     W32/FakeSysDef.DBR!tr     20120925
GData     Trojan.Generic.KDV.736486     20120925
Ikarus     Trojan.Win32.FakeSysdef     20120925
Jiangmin     Trojan/FakeSysDef.aml     20120925
Kaspersky     Trojan-FakeAV.Win32.FakeSysDef.dbr     20120925
McAfee-GW-Edition     Heuristic.LooksLike.Win32.Suspicious.B     20120925
Microsoft     Trojan:Win32/FakeSysdef     20120925
Norman     W32/Suspicious_Gen4.BCRPT     20120925
nProtect     Trojan.Generic.KDV.736486     20120925
Panda     Suspicious file     20120925
PCTools     Trojan.Gen     20120925
Symantec     Trojan.Gen     20120925
TrendMicro     TROJ_GEN.RCBCCIO     20120925
TrendMicro-HouseCall     TROJ_GEN.RCBCCIO     20120925
VBA32     -     20120925
VIPRE     Trojan.Win32.FakeSysDef.ctj (v)     20120925
ViRobot     Trojan.Win32.A.FakeSysDef.380416.O     20120925


The file is a malware known as "CRDF.Trojan.Fakealert.Win32.PEx.C.2818756116". Report on this threat: http://threatcenter.crdf.fr/?More&ID=103547 - 103547 -

https://www.virustotal.com/file/37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453/analysis/
(more on Google)
SHA256:     37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453
SHA1:     4290441b2edc07c606ffb3b6407c6b7df99413f3
MD5:     86946ec2d2031f2b456e804cac4ade6d
File size:     32.2 KB ( 33010 bytes )
File name:     java.jar
File type:     ZIP
Tags:     zip cve-2012-1723 cve-2012-0507 exploit cve-2010-1885 cve-2012-4681
Detection ratio:     25 / 41
Analysis date:     2012-10-04 07:59:34 UTC ( 10 hours, 17 minutes ago )

More details
Antivirus     Result     Update
AhnLab-V3     Java/Cve-2012-1723     20121003
AntiVir     EXP/JAVA.Ternub.Gen     20121003
Antiy-AVL     -     20121002
Avast     Java:Blacole-AB [Expl]     20121003
AVG     -     20121003
BitDefender     -     20121003
ByteHero     -     20121003
CAT-QuickHeal     Trojan.JavaExploit     20121002
ClamAV     Exploit.Java-128     20121003
Commtouch     -     20121003
Comodo     UnclassifiedMalware     20121003
DrWeb     Exploit.Java.360     20121003
Emsisoft     Exploit.Java.CVE-2012-4681!IK     20120919
ESET-NOD32     Java/Exploit.CVE-2012-4681.AM     20121003
F-Secure     Exploit:Java/CVE-2012-4681.H     20121003
GData     Java:Blacole-AB     20121003
Ikarus     Exploit.Java.CVE-2012-4681     20121003
Jiangmin     Exploit.Java.aqd     20121002
K7AntiVirus     -     20121002
Kaspersky     Exploit.Java.CVE-2012-4681.o     20121003
McAfee     JV/Exploit-Blacole!zip     20121003
McAfee-GW-Edition     JV/Exploit-Blacole!zip     20121003
Microsoft     Exploit:Java/CVE-2012-1723.AOF     20121003
MicroWorld-eScan     -     20121003
Norman     CVE-2012-4681.AW     20121003
PCTools     Trojan.Maljava     20121003
Sophos     Troj/JavaDl-PZ     20121003
Symantec     Trojan.Maljava!gen24     20121003
TotalDefense     Java/CVE-2012-0507.AN     20121003
TrendMicro     JAVA_BLACOLE.ZXX     20121003
TrendMicro-HouseCall     TROJ_GEN.F47V0918     20121003
ViRobot     Java.A.EX-CVE-2012-1723.18210     20121003

    Comments
    Votes
    Additional information

#Malware
Posted 2 days, 21 hours ago by internetchicken
Blackhole 2.0
Posted 1 week, 1 day ago by ReviewsAntivirus
#Exploit

http://31.184.244.9/data/java.jar
Posted 1 week, 1 day ago by ReviewsAntivirus
#malware
Posted 1 week, 6 days ago by ReviewsAntivirus
FYI report: http://malwaremustdie.blogspot.jp/2012/09/a-geeek-way-in-reversing-cve-2010-1885.html

https://www.virustotal.com/file/44230ca95626445daa1c25022f06e78f9cb7ff71afda50709e676c0b814909d2/analysis/1349375492/
spn.jar

VirusTotal
SHA256:     44230ca95626445daa1c25022f06e78f9cb7ff71afda50709e676c0b814909d2
SHA1:     03547b45e30d92aa721c354cca21b6d8324c419f
MD5:     add1d01ba06d08818ff6880de2ee74e8
File size:     10.2 KB ( 10397 bytes )
File name:     spn.jar
File type:     ZIP
Detection ratio:     10 / 44
Analysis date:     2012-10-04 18:31:32 UTC ( 0 minutes ago )
AntiVir     JAVA/Jogek.Z     20121003
Avast     Java:Malware-gen [Trj]     20121003
ESET-NOD32     a variant of Java/Exploit.CVE-2012-4681.AV     20121003
F-Secure     Exploit:Java/CVE-2012-4681.H     20121003
GData     Java:Malware-gen     20121003
Ikarus     Java.Malware     20121003
Kaspersky     HEUR:Exploit.Java.CVE-2012-4681.gen     20121003
Symantec     Trojan.Maljava     20121003
TrendMicro-HouseCall     TROJ_GEN.F47V0921     20121003

https://www.virustotal.com/file/566dff67f099f6cd5527de451d05da556789f0da8c0f568ac45d473c2adf31a9/analysis/1349376388/
SHA256:     566dff67f099f6cd5527de451d05da556789f0da8c0f568ac45d473c2adf31a9
SHA1:     4dcc1ada5c9a61e9cea8025ac5f1670e7ab6d2c4
MD5:     c7abd2142f121bd64e55f145d4b860fa
File size:     12.4 KB ( 12701 bytes )
File name:     spn2.jar
File type:     ZIP
Detection ratio:     16 / 43
Analysis date:     2012-10-04 18:46:28 UTC ( 1 minute ago )
AntiVir     JAVA/Jogek.AV     20121003
Antiy-AVL     -     20121002
Avast     Java:CVE-2012-4681-BF [Expl]     20121003
Comodo     UnclassifiedMalware     20121003
DrWeb     Exploit.CVE2012-1723.13     20121003
ESET-NOD32     a variant of Java/Exploit.Agent.NDL     20121003
F-Prot     -     20120926
GData     Java:CVE-2012-4681-BF     20121003
Ikarus     Exploit.Java.CVE-2012     20121003
Kaspersky     UDS:DangerousObject.Multi.Generic     20121003
McAfee     Exploit-CVE2012-1723.c     20121003
McAfee-GW-Edition     Exploit-CVE2012-1723.c     20121003
Microsoft     Exploit:Java/CVE-2012-1723.AVJ     20121003
MicroWorld-eScan     -     20121003
PCTools     Trojan.Maljava     20121003
Sophos     Troj/Java-IZ     20121003
SUPERAntiSpyware     -     20120911
Symantec     Trojan.Maljava     20121003
TrendMicro     JAVA_DLOADER.AZL     20121003
TrendMicro-HouseCall     TROJ_GEN.F47V0921     20121003

https://www.virustotal.com/file/1e9e19cc0e6c49f658f6205d19d3940698cbe22df6cdb149c8178857992473e7/analysis/
SHA256:     1e9e19cc0e6c49f658f6205d19d3940698cbe22df6cdb149c8178857992473e7
SHA1:     6f7459226871ed3822c840ca465612475f635801
MD5:     d1e2ff36a6c882b289d3b736d915a6cc
File size:     7.9 KB ( 8103 bytes )
File name:     t.pdf
File type:     PDF
Tags:     pdf acroform invalid-xref
Detection ratio:     18 / 43
Analysis date:     2012-10-04 17:30:11 UTC ( 1 hour, 19 minutes ago )

More details
Antivirus     Result     Update
Avast     -     20121003
AVG     Exploit_c.VQN     20121004
BitDefender     Exploit.PDF-JS.GR     20121004
Comodo     UnclassifiedMalware     20121004
DrWeb     Exploit.PDF.2990     20121004
Emsisoft     Trojan.Exploit_c!IK     20120919
F-Secure     Exploit.PDF-JS.GR     20121003
Fortinet     W32/PDFJs.AAG!tr     20121004
GData     Exploit.PDF-JS.GR     20121004
Ikarus     Trojan.Exploit_c     20121004
McAfee     Exploit-PDF!Blacole.p     20121004
McAfee-GW-Edition     Exploit-PDF!Blacole.p     20121004
Microsoft     Exploit:Win32/Pdfjsc.RM     20121004
nProtect     Exploit.PDF-JS.GR     20121004
PCTools     Trojan.Pidief     20121004
SUPERAntiSpyware     -     20120911
Symantec     Trojan.Pidief     20121003
TrendMicro     TROJ_PDFJSC.AAW     20121004
TrendMicro-HouseCall     TROJ_PDFJSC.AAW     20121004

9 comments:

  1. Hello I would like to ask for the password for the archive blackhole 2 and your contacts

    ReplyDelete
  2. my email makot444@gmail.com please write the password

    ReplyDelete
  3. Don't leave your email addresses here, it is stupid as spammers will harvest it plus read above -
    the email address is in the profile.

    ReplyDelete
  4. so he has no mail in profile

    ReplyDelete
  5. Give ukogo request a password?

    ReplyDelete
  6. The malwaremustdie blog link does not look like bek2...I fail to see the difference between the version on this site and the previous blackhole deobfuscated that we've been seeing for a long time. the URLs to the payloads even appear to be static and those which were commonly used (see the Sophos report "Exploring the Blackhole Exploit Kit" for examples).

    ReplyDelete
    Replies
    1. They post a lot and the one you saw is different from what they had on the first page. This url has bh2 http://malwaremustdie.blogspot.com/2012/09/following-lead-of-suspected-blackhole2.html

      Delete
  7. this is an incredible, stunning, simple and honest video of an good plan. I'm this kind of enthusiast of your function! I'd require a chunk associated with treat off of a new tree every day.

    ReplyDelete