Encyclopedia entry: Blacole - Learn more about malware - Microsoft Malware Protection Center

Microsoft


	Blacole (?) Encyclopedia entry Updated: Apr 22, 2013 \| Published: Jul 14, 2011 Aliases Blackhole Exploit Pack (other) BlacoleRef (other) Blackhole (other) Alert Level (?) Severe Antimalware protection details Microsoft recommends that you download the latest definitions to get protected. On this page Summary\|Symptoms\|Technical Information\|Prevention\|Recovery Summary Microsoft security software can detect and remove this family of threats. You will also need to update your software to be fully protected from this exploit pack. The Blacoleexploit pack infects your computer with more malware. When you visit a malicious or compromised website these threats can scan for vulnerabilities in your software. A vulnerability is like a "hole" in your software that malware can use to get on your computer. By scanning for vulnerabilities Blacolethreats can choose the malware that has the best chance of infecting your computer. What to do now Vulnerabilities are fixed by updating your software. Updates are usually available from the software publisher’s website. You can find instructions on how to download the latest versions of some common software on our updating software page. How it works The Blacole family of threats uses a webpage to work out which exploits will infect your computer. Top Symptoms The following is an example of a typical user experience when browsing to a web page that contains the malicious code: There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms. Top Technical Information (Analysis) The Blacole exploit pack is sold to attackers for profit. This means attackers are often motivated to use the pack to distribute types of malware that will offset this cost, including: Online banking password stealers Rogue security software Backdoor trojans to leverage additional theft The first time we saw Blacole it in the wild was June 2011. Installation Blacole can be encountered when you visit a malicious webpage using a computer with vulnerable software installed. When you visit an infected website you are often presented with a blank page that says: please wait page is loading. The attack code is heavily obfuscated to make detection more difficult. It uses code exploits for known and 0-day software vulnerabilities in the Sun Java platform, Adobe applications such as Adobe Reader and Adobe Acrobat, and Microsoft components. Blacole may be downloaded as a DLL file on an affected computer, for example %Temp%\wpbt0.dll. The downloaded malware file is run locally by using the following command: regsvr32 -s wpbt0.dll The following malware are connected to the Blacole family: Exploit:JS/BlacoleRef Exploit:JS/Mult Exploit:JS/ShellCode Exploit:Win32/Java Exploit:Win32/Pdfjsc Exploit:Win32/Pidief Exploit:Win32/SWF Trojan:JS/Redirector Trojan:Win32/Reveton TrojanDownloader:HTML/Adodb Win32/Fareit Win32/Weelsof The exploit pack has evolved over time to exploit more vulnerabilities, including: CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC) CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll" CVE-2009-4324 - Adobe Reader and Adobe Acrobat "util.printd" Vulnerability CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plug-in CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability CVE-2010-3552 - Sun Java Runtime New plug-in docbase Buffer Overflow (aka "Java Skyline exploit") CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier CVE-2012-1723 - Unspecified vulnerability in the JRE component in Java (multiple versions) CVE-2012-4681 - Arbitrary code execution in Oracle Java 7 Update 6 via a crafted applet CVE-2013-0422 - Multiple vulnerabilities in Oracle Java 7 CVE-2013-0431 - Vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7 The following is a list of some exploits related to Blacole that we detect: Exploit:HTML/CVE-2010-4452 Exploit:Java/Blacole.GD Exploit:Java/CVE-2010-0840 Exploit:Java/CVE-2010-0842 Exploit:Java/CVE-2010-0886 Exploit:Java/CVE-2010-3552 Exploit:Java/CVE-2010-4452 Exploit:Java/CVE-2011-3544 Exploit:Java/CVE-2012-1723 Exploit:Java/CVE-2012-4681 Exploit:Java/CVE-2013-0422 Exploit:Java/CVE-2013-0431 Exploit:Java/Midesq.A Exploit:JS/CVE-2007-5659 Exploit:JS/CVE-2010-0886 Exploit:JS/CVE-2010-4452 Exploit:JS/Mult.DJ Exploit:JS/Mult.DU Exploit:JS/Mult.DX Exploit:JS/ShellCode.O Exploit:JS/ShellCode.P Exploit:JS/Shiep.A Exploit:SWF/CVE-2011-2110 Exploit:Win32/CVE-2008-2992 Exploit:Win32/CVE-2010-0188 Exploit:Win32/CVE-2010-1885 Exploit:Win32/Pdfjsc Exploit:Win32/Pdfjsc.ADF Exploit:Win32/Pidief.B TrojanDownloader:JS/Adodb.F Blacole uses JavaScript on its landing page, and utilizes a number of DOM (Document Object Module) manipulating functions. When a browser visits an infected webpage it creates several browser cache files (temporary Internet files). This can mean detections for Blacole are triggered in the browser's cache files. The number and availability of created cache files depend on a number of factors, including the type of browser and its configuration. In the background, the compromised webpage uses an IFrame to redirect the browser and execute a malicious server-side .PHP script on another compromised web server. The following are examples of the script request and format: <site name>/main.php?page=abfd0d069b45c17e <site name>/main.php?page=43842ba0d45a9da3 <site name>/main.php?page=8eac7226b6b12c7d <site name>/main.php?page=977334ca118fcb8c <site name>/i.php?f=16&e=3 The compromised server typically hosts other malware in folders created by an attacker. This other malware uses the following file formats: .SWF .PDF .JAR It attempts to exploit these related applications to execute its payload: Adobe Acrobat Adobe Shockwave Adobe PDF Reader Java Runtime Environment (JRE) The following are in-the-wild examples of malware hosted on a compromised server and run by the Blacole exploit pack: <domain>/content/g43kb6j34kblq6jh34kb6j3kl4.jar - Exploit:Java/CVE-2010-0840.NK <domain>/content/v1.jar - Exploit:Java/Blacole.CE <domain>/content/1ddfp.php?f=35 - Exploit:Win32/Pdfjsc.YP <domain>/content/2ddfp.php?f=35 - Exploit:Win32/Pdfjsc.YP Blacole can choose from an arsenal of vulnerabilities when it performs an attack. It probes your computer to find out which products you have installed. It can then choose the vulnerability that has the best chance to gain access to your computer. Currently Blacoleuses mainly Java and PDF exploits. Some of the recent malware files associated with Blacole are: <domain>/data/ap1.php?f=47 <domain>/data/ap2.php?f=47 <domain>/data/field.swf Payload Loads exploit files Blacole will load exploits based on which software is vulnerable on your computer. These exploits include: Exploit:Java/CVE-2010-0840.EW Exploit:Win32/Pdfjsc.RF Exploit:Win32/Pdfjsc.RM The downloaded families of malware that we have observed include: Backdoor:Win32/Simda Rogue:Win32/Winwebsec Trojan:Win32/Lockscreen.BO Trojan:Win32/Necurs Trojan:Win32/Ransom.FL Trojan:Win32/Simda Trojan:WinNT/Rootkit Win32/Carberp Win32/Cutwail Win32/Cycbot Win32/Drstwex Win32/EyeStye Win32/FakeRean Win32/FakeSysdef Win32/Fareit Win32/Meteit Win32/Reveton Win32/Sinowal Win32/Sirefef Win32/Zbot Worm:Win32/Cridex Worm:Win32/Gamarue Additional information You can read more about Blacole related malware in the following blog articles: Plenty to complain about with faux BBB spam Get gamed and rue the day... Disorderly conduct: localized malware impersonates the police Analysis by Shawn Wang, Oleg Petrovsky and Patrick Nolan Top Prevention There are several steps you can take to help prevent infection on your computer. Update vulnerable applications This threat exploits numerous vulnerabilities in applications including Oracle Java, Sun Java, Adobe Acrobat and Adobe Reader. Install applicable updates available from the vendor as these software updates provided enhanced security and mitigate vulnerabilities. You can read more about the vulnerabilities targeted by this malware and where to download available software updates from the following links: CVE-2006-0003 and Microsoft Security Bulletin MS06-014 CVE-2007-5659 and Adobe Security Bulletin APSB08-13 CVE-2008-2992 and Adobe Security Bulletin APSB08-19 CVE-2009-0927 and Adobe Security Bulletin APSB09-04 CVE-2009-1671 and Java JRE updates CVE-2009-4324 and Adobe Security Bulletin APSB10-02 CVE-2010-0188 and Adobe Security Bulletin APSB10-07 CVE-2010-0840 and Java JRE updates CVE-2010-0842 and Java JRE updates CVE-2010-0886 and Java SE updates CVE-2010-1423 and Java SE updates CVE-2010-1885 and Microsoft Security Advisory (2219475) CVE-2010-3552 and Oracle Java SE Update Advisory October 2010 CVE-2010-4452 and Oracle Java SE Update Advisory February 2011 CVE-2011-2110 and Adobe Security Bulletin APSB11-18 CVE-2011-3544 and Oracle Java SE Update Advisory October 2011 CVE-2012-1723 and Oracle Java SE Critical Patch Update Advisory - June 2012 CVE-2012-4681 and Java SE updates CVE-2013-0422 and Oracle Security Alert - January 2013 CVE-2013-0431 and Oracle Java SE Critical Patch Update Advisory - February 2013 Download Java updates It is necessary to remove older versions of Java that may still be present. Storing older versions of Java on your system presents a serious security risk. To read more about why you should remove older versions of Java, see the following information. Remove older versions of Java Top Recovery To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat: Microsoft Security Essentials Microsoft Safety Scanner There is more information about antivirus software on our Consumer security software providers page. Clear your cache This threat may be present in your Temporary Internet Files folder. We recommend that you delete your temporary Internet files to prevent the persistent detection of this threat. There is more information about this step in this article on how to delete the temporary Internet files from Internet Explorer. Install updates This threat exploits numerous vulnerabilities in applications including Oracle Java, Sun Java, Adobe Acrobat and Adobe Reader. Install applicable updates available from the vendor as these software updates provided enhanced security and mitigate vulnerabilities. You can read more about the vulnerabilities targeted by this malware and where to download available software updates from the following links: CVE-2006-0003 and Microsoft Security Bulletin MS06-014 CVE-2007-5659 and Adobe Security Bulletin APSB08-13 CVE-2008-2992 and Adobe Security Bulletin APSB08-19 CVE-2009-0927 and Adobe Security Bulletin APSB09-04 CVE-2009-1671 and Java JRE updates CVE-2009-4324 and Adobe Security Bulletin APSB10-02 CVE-2010-0188 and Adobe Security Bulletin APSB10-07 CVE-2010-0840 and Java JRE updates CVE-2010-0842 and Java JRE updates CVE-2010-0886 and Java SE updates CVE-2010-1423 and Java SE updates CVE-2010-1885 and Microsoft Security Advisory (2219475) CVE-2010-3552 and Oracle Java SE Update Advisory October 2010 CVE-2010-4452 and Oracle Java SE Update Advisory February 2011 CVE-2011-2110 and Adobe Security Bulletin APSB11-18 CVE-2011-3544 and Oracle Java SE Update Advisory October 2011 CVE-2012-1723 and Oracle Java SE Critical Patch Update Advisory - June 2012 CVE-2012-4681 and Java SE updates CVE-2013-0422 and Oracle Security Alert - January 2013 CVE-2013-0431 and Oracle Java SE Critical Patch Update Advisory - February 2013 Download Java updates In addition to Microsoft Windows update, third-party applications are available to assist in maintaining software updates, which include enhancements and security updates, for applications such as Oracle Java, Sun Java and Adobe Acrobat and Reader. Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.