• BlackHole Toolkit: Malware Running Wild

    Malicious hackers are infecting websites in droves using new kinds of malware. Websites are the newest malware battleground. Benign websites are being compromised and infected by hackers in order to infect their visitors. In the vast majority of cases, the affected website owners are completely oblivious to the fact that a malicious hacker has used their website to infect their visitors.

    In this article we will discuss a widespread strain of malware that already logs near 100,000 attempts per day on IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) systems, trying to infect websites.

    What are Toolkits?
    Malicious hackers sometimes use toolkits, pre-packaged pieces of computer code, which make it very easy to distribute malware, infect websites with it and then perform specific malicious activities with the now compromised site(s).

    The strain of malware which we will discuss is related to a toolkit popularly known as the Blackhole Toolkit. This toolkit has been available for some time now and researchers at Symantec have noted the same.

    How the toolkit works:

    1. Unsuspecting Internet surfers visit websites harboring malicious IFrame tags
    2. Users are then redirected to servers which load malicious payloads via browser exploits or PDF, SWF based exploits
    3. Often, a malicious JAR file is downloaded on the PC of the unsuspecting client
      • This JAR file contains malicious URLs which download further malware
    4. The downloaded trojan(s) can post a unique ID to a command-and-control server
    5. The trojan then posts a list of the running processes on the victim’s computer to the server
    6. The following three plugins are then downloaded:
      • stopav.plug – Tries to disable the antivirus installed on the victim’s computer
      • passw.plug – Log username/password combinations for connections being made
      • miniav.plug – Tries to delete copies of Zeus bots on the computer to prevent competition amongst malware on victim’s computer
    7. Finally, a fake Anti-Virus program is downloaded to the victim’s computer.

    How to Identify an Infected Website
    Search for instances of the following PHP code in files on your server or locate the JavaScript in the webpages delivered to clients. Below is a sample of the PHP code which aids the installation of this malware.

    $var="kfb2rpgv"; echo base64_decode(str_rot13
    

    The JavaScript produced by this code:

    try{try{a1=a2}catch(a){b[2]=21};}catch(a){k="ReferenceErr"+a.toString().substr(0,0);};var ar=">a)myuA1NhTvB\";zEr0c.pi (sngC}{d?lwt
    

    The malicious IFrames generated as a result load content from the following sites:

    marillador.cz.cc
    web-traffic.cz.cc
    yourstatscounter.cz.cc
    beazenrad.cz.cc
    loading-v-506.cz.cc
    luckychance.cz.cc
    cnc0098510m.cz.cc
    newincposrtqw.cz.cc
    upperblackeddy4.cz.cc
    ndidrsjt.cz.cc
    

    If you think you are facing a problem related to this specific strain of malware, please scan your computer with an Anti-Virus program (scanning with multiple Anti-Virus engines can yeild better results).

    We Can Help!
    If you want to protect your site from infection, or you need additional support, please sign up for one of our services. Please contact us with your comments or questions.