Blackhole

from Wikipedia, the free encyclopedia
Blackhole
Basic data

developer Paunch
Current  version 2.0 (estimated)
(September 12, 2012)
category Exploit kits, malware
License unknown
German speaking No

Blackhole (German translation: black hole ) is an exploit kit that now has a market share of almost 30 percent. It is believed to be developed by Russian cyber criminals, as the screenshots on the Internet suggest .

Blackhole's infrastructure

Blackhole is chargeable ($ 1000 per half-year) and offers (relatively convenient) administration via web interface. What is special about this is that the Blackhole developers react very quickly to new security gaps. The exploit published in connection with the Java crash ( CVE -2012-4681) was integrated into Blackhole after just twelve hours.

A precise description of Blackhole's server infrastructure is not possible. New servers are added every day, some of which go offline after a few hours or days. In addition, many of these nodes are located within anonymous networks (e.g. Tor ), which makes it virtually impossible to identify the responsible persons. Most of these servers are in the USA (almost 30%), followed by Russia (≈ 17.5%).

country Blackhole's server share (2012)
Brazil 1.49%
Great Britain 2.24%
Netherlands 2.55%
Germany 3.68%
China 5.22%
Turkey 5.74%
Italy 5.75%
Chile 10.77
Russia 17.88%
United States 30.81%
Others 13.88%

A typical blackhole infection

Most incidents of Blackhole infection proceed according to the following scheme: First, an advertising server (i.e. a server on the Internet that displays advertisements on other, unsuspicious websites) is hacked and manipulated in such a way that it reloads scripts in the background that the visitors of the Forward the server to a website, which then checks the computer for weak points (such as outdated plugins) and then exploits these gaps found. If the attack on a computer was successful, a so-called payload is reloaded, i.e. a program that carries out further actions, such as covering up traces or reloading new malicious code that is precisely tailored to the computer.

Operation from Blackhole

It is not known exactly how Blackhole is operated by the "end user". The few screenshots on the Internet suggest a kind of web interface or graphic program . What seems certain, however, is that Blackhole is relatively easy to use, i.e. without tedious programming of exploits or payloads . Details are not known.

Payloads

Payload Share (over 2 months, August and September 2012)
Zbot 25%
Ransomware 18%
PWS 12%
Sinowal 11%
FakeAV 11%
Backdoor - Programs 6%
ZAccess 6%
Downloader 2%
other payloads 9%

Release of Blackhole

The first version of the exploit kit was published in Malwox, a Russian hacker forum. The exact date or license under which the program was released is unknown. At the moment version 2.0 (or higher) seems to be up to date.

Countermeasures

Blackhole stands out because it has above-average management. The developer (s ) (pseudonym: Paunch ) are obviously very experienced in finding new malware for programs or programming them themselves. According to an article, the IT security company Sophos is trying to track the exploit kit and call on users to take more security measures ( backups , updating critical programs, etc.). The success of these measures cannot be assessed because it is not (or hardly) known how high the number of computers infected by Blackhole would otherwise be.

Since Blackhole is increasingly making use of zero-day exploits , an automatic update is of little help, but it usually prevents infection by known exploits .

Like other exploit kits , Blackhole manipulates hacked websites by inserting a script (mostly JavaScript ) that automatically analyzes the browser or operating system in the background when the website is called up and checks for security holes. If it finds what it is looking for, it tries to exploit the loopholes it has found. Here plug-ins or add-ons (for example NoScript ) would help to prevent scripts from being reloaded.

In October 2013 the developer (pseudonym: Paunch ) of Blackhole in Russia was arrested with some accomplices.

Prominent cases of blackhole attacks

  • On April 3, 2013, it became known that a new and exceptionally well-programmed malicious program called Darkleech was in circulation. Darkleech infected Apache - Web server , which is at IP addresses causes of security companies no attacks. It is believed that Darkleech was programmed by the developers of the Blackhole exploit kit because it reloads malicious code from Blackhole sites.
  • According to a report from April 8, 2013 on Heise Security , a botnet called Cutwail is currently particularly active again. In addition to the online banking Trojan, it also spreads malware for Android . Here, too, victims are redirected to blackhole sites.

See also

Web links

Individual evidence

  1. Sophos: Costs of Blackhole (image) (English) . Retrieved March 5, 2013.
  2. M86 Security Labs: Screenshot from Blackhole . Retrieved March 9, 2013.
  3. Screenshot of the Blackhole interface (version 1.0.0) . Retrieved March 9, 2013.
  4. ^ Costs of Blackhole (picture) . Retrieved March 9, 2013.
  5. Malware Intelligence : Malware Intelligence Blog: Black Hole Exploits Kit 1.1.0 Inside . Retrieved March 19, 2013.
  6. CVE-2012-4681 at MITER (English)
  7. Java exploit (CVE: 2012-4681) . Archived from the original on February 17, 2013. Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved March 19, 2013. @1@ 2Template: Webachiv / IABot / pastie.org
  8. Heise Security: Java-0-Day under the microscope . Retrieved March 9, 2013.
  9. Sophos: Java flaws already included in Blackhole exploit kit, Oracle was informed of vulnerabilities in April . Retrieved March 19, 2013.
  10. Sophos: Sophos Security Treath Report 2013 (English) . Retrieved March 12, 2013.
  11. Sophos: Sophos Security Threath Report 2013 (English) . Retrieved March 9, 2013.
  12. Sophos: Sophos Security Threath Report 2013 (English) . Retrieved March 9, 2013.
  13. community.websense.com: Screenshot of the Blackhole interface . Retrieved March 15, 2013.
  14. M86 Security Labs: Screenshot of the Blackhole interface . Retrieved March 19, 2013.
  15. Screenshot of the Blackhole interface (partially blackened) . Retrieved March 19, 2013.
  16. Sophos: Diagram: From Black Hole distributed payloads (English) . Retrieved March 19, 2013.
  17. com-magazin: Blackhole 2.0 creates malware for a few dollars . Retrieved March 8, 2013.
  18. Sophos: New version of Blackhole exploit kit (English) . Retrieved March 19, 2013.
  19. ^ Sophos: Anatomy of an Attack: Drive-by-Downloads and Blackhole (partly in English) . Archived from the original on March 27, 2013. Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved March 19, 2013. @1@ 2Template: Webachiv / IABot / www.sophos.com
  20. ^ Sophos: Anatomy of an Attack: Drive-by-Downloads and Blackhole (partly in English) . Archived from the original on March 27, 2013. Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved March 19, 2013. @1@ 2Template: Webachiv / IABot / www.sophos.com
  21. Heise Security: Crooks go to the cloud . Retrieved March 20, 2013.
  22. Heise Security: Critical Java vulnerability is exploited on a large scale . Retrieved February 5, 2013.
  23. Heise Security: malware on Sparkasse websites . Retrieved March 20, 2013.
  24. Heise Security: Crooks go to the cloud . Retrieved March 20, 2013.
  25. Heise Security: Developer of the Blackhole Exploit Kit arrested . Retrieved October 10, 2013.
  26. Heise Security: Darkleech infects Apache servers by the dozen . Retrieved April 9, 2013.
  27. Heise Security: botnet distributes Android Trojans . Retrieved April 9, 2013.