Follow:

 

Blacole


Microsoft security software detects and removes this family of threats.

You should also update your software to be fully protected.

The Blacole exploit pack tries to infect your PC with other malware, such as trojans and viruses. It also known as "Blackhole".

See our page about exploits and learn how to update common software.

When you visit a malicious or compromised website, Blacole scans your PC for vulnerabilities or weaknesses in your software.

You might visit the website from a link or attachment in an email, or from a previously safe website that has been hacked.

The threat uses those vulnerabilities it has found on your PC to download malware onto your PC:

Typically, the Blacole exploit kit attempts to exploit vulnerabilities in applications such as Oracle Java, Sun Java, Adobe Acrobat and Adobe Reader.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Update Java

Make sure you install all available Java updates. This threat exploits multiple Java vulnerabilities, so installing the latest version of Java helps protect your PC from this threat.

You should remove older versions of Java, as keeping old and unsupported versions of Java on your PC is a serious security risk:

If you continue to get alerted about this threat, deleting your temporary Java files can help:

It's also important to keep your other software up to date:

Update Adobe products

Make sure you install all available Adobe updates. This threat exploits multiple Adobe vulnerabilities, so installing the latest version of Adobe Acrobat, Reader, or Flash helps protect your PC from this threat.

Threat behavior

Installation

Your antivirus software might detect Blacole when you visit a compromised or malicious webpage. A compromised webpage is one in which a hacker has inserted malicious JavaScript code without the webpage owner's knowledge.

When you visit the webpage, the JavaScript code - detected as BlacoleRef - is run.

The Blacole family is designed to load a hidden IFrame that contacts a malicious page that is stored on a web server. This page determines information about your browser, like what browser it is (for example, Internet Explorer or Firefox), what version it is, and what plug-ins or extensions you have installed.

The page then redirects the hidden IFrame to another page (or multiple pages) that specifically uses or exploits only those vulnerabilities that your browser is susceptible to. These vulnerabilities are then used to download malware onto your PC.

In this way, Blacole forms part of a larger process, all of which is designed to have the greatest success of infecting your PC with malware.

The attack code is heavily obfuscated to make detection more difficult.

It uses exploits for known and 0-day software vulnerabilities in the Sun Java platform, Adobe applications like Adobe Reader and Adobe Acrobat, and Microsoft components.

Blacole might be downloaded as a DLL file, for example %TEMP%\wpbt0.dll.

The downloaded file is run by using the following command:

  • regsvr32 -s wpbt0.dll

The following malware are connected to the Blacole family:

The exploit pack has evolved over time to exploit more vulnerabilities, including:

  • CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
  • CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
  • CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
  • CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) lets remote hackers to run arbitrary code
  • CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
  • CVE-2009-4324 - Adobe Reader and Adobe Acrobat "util.printd" Vulnerability
  • CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
  • CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
  • CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
  • CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
  • CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plug-in
  • CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
  • CVE-2010-3552 - Sun Java Runtime New plug-in docbase Buffer Overflow (aka "Java Skyline exploit")
  • CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
  • CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability
  • CVE-2011-3402 - Vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1
  • CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier
  • CVE-2012-1723 - Unspecified vulnerability in the JRE component in Java (multiple versions)
  • CVE-2012-4681 - Arbitrary code execution in Oracle Java 7 Update 6 via a crafted applet
  • CVE-2012-5076 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7
  • CVE-2013-0422 - Multiple vulnerabilities in Oracle Java 7
  • CVE-2013-0431 - Vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7
  • CVE-2013-1493 - Vulnerability in the color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40
  • CVE-2013-2423 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7

The following is a list of some exploits related to Blacole that we detect:

Blacole uses JavaScript on its landing page, and uses a number of DOM (Document Object Module) manipulating functions. When a browser visits an infected webpage it creates several browser cache files (temporary Internet files). This might mean detections for Blacole are triggered from within your browser's cache. The number and availability of cache files depend on a number of factors, including the type of browser and its configuration.

In the background, the compromised webpage uses an IFrame to redirect the browser and run a malicious server-side .PHP script on another compromised web server. The following are examples of the script request and format:

  • <site name>/main.php?page=abfd0d069b45c17e
  • <site name>/main.php?page=43842ba0d45a9da3
  • <site name>/main.php?page=8eac7226b6b12c7d
  • <site name>/main.php?page=977334ca118fcb8c
  • <site name>/i.php?f=16&e=3

The compromised server typically hosts other malware in folders created by a hacker. This other malware uses the following file formats:

  • .swf
  • .pdf
  • .jar

It tries to exploit these related applications to run its payload:

  • Adobe Acrobat
  • Adobe Shockwave
  • Adobe PDF Reader
  • Java Runtime Environment (JRE)

The following are examples of malware hosted on a compromised server and run by the Blacole exploit pack:

Blacole can choose from an arsenal of vulnerabilities when it dos an attack. It probes your PC to find out which products you have installed. It can then choose the vulnerability that has the best chance to gain access to your PC. Currently Blacole uses mainly Java and PDF exploits.

Some of the recent malware files associated with Blacole are:

  • <domain>/data/ap1.php?f=47
  • <domain>/data/ap2.php?f=47
  • <domain>/data/field.swf
Payload

Loads exploit files

Blacole will load exploits based on which software is vulnerable on your PC. These exploits include:

The downloaded families of malware that we have observed include:

Additional information

The Blacole exploit pack is sold to hackers for profit. This means hackers are often motivated to use the pack to distribute types of malware that will offset this cost, including:

  • Online banking password stealers
  • Rogue security software
  • Backdoor trojans to leverage additional theft

The first time we saw Blacole in the wild was June 2011.

You can read more about Blacole-related malware in the following blogs:

Analysis by Shawn Wang, Oleg Petrovsky and Patrick Nolan


Symptoms

You might see the following page:

There might be no other common symptoms. Alert notifications from installed antivirus software might be the only symptoms.


Prevention


Alert level: Severe
This entry was first published on: Jul 14, 2011
This entry was updated on: Feb 07, 2014

This threat is also detected as:
  • Blackhole Exploit Pack (other)
  • BlacoleRef (other)
  • Blackhole (other)