BlackHole Exploit Kit 2.0 – anti-forensics features announced

2012.09.12

So, major news in malware world today – release of BlackHole Exploit Kit ver 2.0, announced by Paunch at the morning.

Full text of Advertisement You may read in Russian and translated english at Kafeine’s blog

Since my part of the interest is anti-forensics features, let’s see, what exactly Paunch ad disclose:

1. Unique, short-life-time URL’s for infecting victim, generated for one-time use only, which prevent AV companies automated systems and researchers from collect samples easily.

2. Executable, that include bot\trojan\malware, and usually downloaded and executed by initial exploit code, protected from direct download, connected somehow to short-time URL victim forwarded to.

3. Only relevant exploits attack the victim, according to previous plugin enumeration. – this will definitely make our life more interesting, since we need to understand, on what rules system decide to use one payload or another, to collect the samples.

4. Only 3 exploits used in basic version of BHEK 2.0 – Java pack (atomic + byte), PDF LibTiff and MDAC – most successful + rewritten to prevent system & browser crash. As a result – end-user not aware of exploitation,

5. Link to malicious page, that in BHEK 1.0 was main.php?varname=lgjlrewgjlrwbnvl2 now changed. New link can be adapted to any look preferred. Paunch provide the following examples:

/news/index.php,
/contacts.php

In addition, links by default generated automatically from word-list, not by random characters.
It will made work of IDS\IPS companies much more hard and less effective. At least at first time.

 6. Same as exploit, exe payload can be downloaded only once per unique victim. All further attempts can be handled according to owner decision: custom HTML, 302 redirect etc.

7.  There is no specific link to exe download, same as there is no variables transferred to malware host via GET.

8. For non-supported browser (Chrome currently) can be created custom HTML page, that will inform user, that this page can be viewed in Internet explorer, Opera or Mozilla Firefox only. This create some visual reputation of legit website, and can cause additional attempt to infect client, when he’ll open page in different browser.

9. BHEK 2.0 have feature of checking the detect ratio of exe payload after specufied amount of time, and if it higher than configured – remove it or replace it with new one. This can effectively prevent detection of malware payload by AV companies and create to researchers additional work.

10. Possibility to block traffic without Referer field enabled – by default “on”

11. Possibility to filter, allow and ban requests based on Referer field . This will filter-out all those researchers, who came to MDS not from original infected source.

12. Option to filterout bots by IP database (13000 in list), which  almost certain include AV companies IP, HoneyNets, known researchers

13. Option to ban Tor networks IP (recommended on)

14. Added new “on hold” mode, when traffic is hold for victims, and in this mode all activity that continue on the MDS, detected and IP enter the Ban-List. Can stop researcher from testing MDS and retrieving payloads and exploits.

15. More flexible management of domains, include on-the fly check of black-lists and hoping between only clean domains from the list.

16. Many more features, that currently still private, are implemented.

So, here how it’s look like.

Well, if in previous time we saw combinations of exploit-Kit and TDS to provide some anti-forensics techniques, in this example we see TDS features added inside Exploit Kit.

We  know that malware authors have potential to surprise us, it can be very interesting process – to find, understand and defeat anti-forensics features of BHEK 2.0

So – let’s begin! Find and share 🙂

Stay safe

D.L.

Leave a comment