Crimeware is designed (through social engineering or technical stealth) to perpetrate identity theft in order to access a computer user's online accounts at financial services companies and online retailers for the purpose of taking funds from those accounts or completing unauthorized transactions that enrich the thief controlling the crimeware. Crimeware also often has the intent to export confidential or sensitive information from a network for financial exploitation.

BlackHole Exploit Kit 1.0.2

The BlackHole Exploit Kit has a powerful set of exploits. It is the most prevalent exploit toolkit and can easily be compared with the likes of Neosploit and Phoenix in terms of the number of affected users. The BlackHole Exploit Kit has clearly emerged as the most used toolkit among hackers. The Blackhole Exploit Kit is a framework for delivering exploits via compromised or third-party websites. Most notable for its sophisticated Traffic Direction Script (TDS), the Blackhole Exploit Kit enables attackers to configure rules that enforce custom responses.

Blackhole Exploit Kit prices

Users can purchase the annual license for $1500. A semi-annual license for $1000 or just a quarterly license for $700. The license includes free software updates for the duration of the contract.

As with most of the exploit kits, it is based on PHP and a MySQL backend. The payload of this kit usually targets Windows operating systems and applications installed on those systems. TDS or Traffic Direction Script. A TDS is basically an engine that allows redirection of traffic through a set of rules. A user can set up a set of rules that redirect flow to different landing pages on their domain.

These rules could be based on operating system, browser, country of origin, exploit or files. One rule might redirect traffic to page A for all users that are running Windows OS from XP to Vista and running IE 8, while another rule can redirect Windows 7 users to page B. Those were just simple example rules.

More advanced rules could set expiration dates for certain payloads and replace them with new ones when the date is reached. The TDS included in the BlackHole Exploit Kit even goes the extra step and allows you to create traffic flows based on these rules and provides management interface for the flows.

Exploits are encrypted with custom algorithms, which makes this pack difficult to analyze by AVs and generic deobfuscation tools and services. The BlackHole Exploit Kit uses the Java OBE (Open Business Engine) toolkit to spread exploits and successfully load the malicious executable to the victim's machine. Once a victim follows the malicious Iframe, it will download a JAR file with an encoded URL parameter, and one of the classes of this JAR file will decode this parameter into a clear text URL.

The URL will be concatenated with an HTTP GET parameter which will be used in downloading other malicious payload files. The exploit kit is encrypted by the commercial php-cryptor which makes the whole distribution very regulated and sophisticated.

Technical details explained

When a victim visits a clean web that has been injected with a malicious iframe, the iframe redirects the user to the BlackHole Exploit Kit server. The BlackHole Exploit Kit uses a technique to obfuscate the exploits. The page contains a large array inside the textarea. When decoded, the array results in various exploits for popular vulnerabilities such as PDF, JAVA, HCP or MDAC.

The page contains the code that redirects the user to download a malicious jar file. One of the classes inside the jar file extracts the value passed to it in the script, and then decodes it into a URL. The decoded string has the pattern d.php?f=[0-9]{1,2}e=[0-9]{1,2}. This URL is then used to perform other malicious downloads.

The URL downloads Trojan.Carberp which is a highly sophisticated Trojan that is being compared to Zeus Trojan because of its ingenious techniques for avoiding detection. The Trojan posts a unique ID to the command-and-control (C&C) server that will be used every time a transaction takes place between the Trojan and the C&C server. The URL has the pattern /set/task.html.

The Trojan will post all of the running processes on the victim's computer to the C&C server. The URL has the pattern set/first.html and the data posted has the pattern id=(Unique number posted on /set/task.html) os=(Name-version of OS) plist=(List of all running processes).

The Trojan then downloads three modules:

stopav.plug – This module disables the antivirus installed on the victim's computer.

miniav.plug – Checks for the presence of other Trojans, such as Zeus, and if found, the Trojan deletes its competitor(s).

passw.plug – It will hook the export table of a number of WININET.dll and USER32.dll functions and will log every username/password combination that is typed, as well as any URLs visited.

The C&C server sends the "multidownload" command to the Trojan. The first file downloaded (1.exe) is Trojan Hiloti which makes requests to a free file-hosting site. One of the patterns of the domain is [a-z0-9]{12].weirden.com. The request page has the pattern /get2.php?c=[A-Z]{8} d= (long Hex String). The server always replies with "File Not Found" upon retrieval of the requested file.

The BlackHole exploit kit uses several protection mechanisms such as:

- Integrated Anti-Virus based on an API of popular Black Hats AV-Check services.

- Forms database of blacklists based on referrers and IP addresses including ranges to block access to the   system.