Possible Update to the Blackhole Exploit Toolkit

Pretty much everyone is aware of the BlackHole toolkit. We previously wrote a blog that compared the prevalence of various toolkits.

At FireEye, we trigger on thousands of BlackHole events every day across our customer base. We have recently seen reports that the toolkit has been updated. The following website gives you good details about what features have been included in the new toolkit: http://malware.dontneedcoffee.com/2012/09/blackhole2.0.html.

We immediately started looking through the FireEye Malware Protection Cloud (MPC) to see if the FireEye Virtual Execution engine in our appliances had seen instances of this new toolkit. (The FireEye Virtual Execution engine is our proprietary virtual machine technology that enables us to detect threats that have never before been seen.) Websense reported finding URLs in their blog, and we found a bunch of URLs—the earliest of which was detected on September 3, 2012.

Let’s get into a few technical details and talk about how the older versions of BlackHole communicated.

Old_bh_comm

A user browsing a compromised website gets redirected to an exploit page, which matches the pattern "main.php?page=" or in this case "forum.php?tp=." After successful exploitation, a binary gets downloaded. This sequence of events is captured in the figure above.

This is how the new communication looks. The capture below shows the URL downloading the exploit PDF.

Bh_new
The following is a list of URLs that we have detected across our customer base since the first detection on September 3. These URLs, if confirmed as BlackHole, show a clear deviation from the conventional URI patterns employed by the toolkit. Below is a subset of URLs that we detected.

Bh_urls
While we are not absolutely sure that this is in fact coming from a newer version of the BlackHole toolkit, the URL patterns that we have seen in the FireEye MPC seem to fit the descriptions mentioned by the BlackHole author to a certain degree. But since more and more URL randomization and AV evasion techniques like this have been adopted by the malware toolkits, it should not be a surprise if it is from other toolkits.

Attached is a graph that depicts the rate of detection since September 3 for these types of URLs.

Chart_bh
Analysis and confirmation of a newly discovered malware or toolkit takes time and requires industry collaboration. Our analysis on this is ongoing and we will keep updating our blog as and when we gather more information about whether or not this communication is actually BlackHole 2.0. That being said, all FireEye customers are protected from this threat.

Props to Yasir Khalid at FireEye for quickly taking the effort and the initiative to sift through tons of data and doing all the hard work.

UPDATE: An earlier version of this post inadvertently omitted the reference to Websense's blog. This post has since been updated, and the change is now reflected.