NEW BLOG POST: Windows Defender AV’s behavior monitoring coupled with cloud-powered machine learning models uncovered and blocked a massive Dofoil (Smoke Loader) coin mining campaign. Read the post
Alert level: Severe Detected with Windows Defender Antivirus
Also detected as: Blackhole Exploit Pack (other) BlacoleRef (other) Blackhole (other)
Windows Defender detects and removes this family of threats.
You should also update your software to be fully protected.
When you visit a malicious or compromised website, Blacole scans your PC for vulnerabilities or weaknesses in your software.
You might visit the website from a link or attachment in an email, or from a previously safe website that has been hacked.
The threat uses those vulnerabilities it has found on your PC to download malware onto your PC:
Typically, the Blacole exploit kit attempts to exploit vulnerabilities in applications such as Oracle Java, Sun Java, Adobe Acrobat and Adobe Reader.
The following free Microsoft software detects and removes this threat:
Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.
You can also visit the Microsoft virus and malware community for more help.
Make sure you install all available Java updates. This threat exploits multiple Java vulnerabilities, so installing the latest version of Java helps protect your PC from this threat.
You should remove older versions of Java, as keeping old and unsupported versions of Java on your PC is a serious security risk:
If you continue to get alerted about this threat, deleting your temporary Java files can help:
It's also important to keep your other software up to date:
Update Adobe products
Make sure you install all available Adobe updates. This threat exploits multiple Adobe vulnerabilities, so installing the latest version of Adobe Acrobat, Reader, or Flash helps protect your PC from this threat.
The Blacole family is designed to load a hidden IFrame that contacts a malicious page that is stored on a web server. This page determines information about your browser, like what browser it is (for example, Internet Explorer or Firefox), what version it is, and what plug-ins or extensions you have installed.
The page then redirects the hidden IFrame to another page (or multiple pages) that specifically uses or exploits only those vulnerabilities that your browser is susceptible to. These vulnerabilities are then used to download malware onto your PC.
In this way, Blacole forms part of a larger process, all of which is designed to have the greatest success of infecting your PC with malware.
The attack code is heavily obfuscated to make detection more difficult.
It uses exploits for known and 0-day software vulnerabilities in the Sun Java platform, Adobe applications like Adobe Reader and Adobe Acrobat, and Microsoft components.
Blacole might be downloaded as a DLL file, for example %TEMP%\wpbt0.dll.
The downloaded file is run by using the following command:
- regsvr32 -s wpbt0.dll
The following malware are connected to the Blacole family:
The exploit pack has evolved over time to exploit more vulnerabilities, including:
- CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
- CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
- CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
- CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) lets remote hackers to run arbitrary code
- CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
- CVE-2009-4324 - Adobe Reader and Adobe Acrobat "util.printd" Vulnerability
- CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
- CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
- CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
- CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
- CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plug-in
- CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
- CVE-2010-3552 - Sun Java Runtime New plug-in docbase Buffer Overflow (aka "Java Skyline exploit")
- CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
- CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability
- CVE-2011-3402 - Vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1
- CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier
- CVE-2012-1723 - Unspecified vulnerability in the JRE component in Java (multiple versions)
- CVE-2012-4681 - Arbitrary code execution in Oracle Java 7 Update 6 via a crafted applet
- CVE-2012-5076 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7
- CVE-2013-0422 - Multiple vulnerabilities in Oracle Java 7
- CVE-2013-0431 - Vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7
- CVE-2013-1493 - Vulnerability in the color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40
- CVE-2013-2423 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7
The following is a list of some exploits related to Blacole that we detect:
In the background, the compromised webpage uses an IFrame to redirect the browser and run a malicious server-side .PHP script on another compromised web server. The following are examples of the script request and format:
- <site name>/main.php?page=abfd0d069b45c17e
- <site name>/main.php?page=43842ba0d45a9da3
- <site name>/main.php?page=8eac7226b6b12c7d
- <site name>/main.php?page=977334ca118fcb8c
- <site name>/i.php?f=16&e=3
The compromised server typically hosts other malware in folders created by a hacker. This other malware uses the following file formats:
It tries to exploit these related applications to run its payload:
- Adobe Acrobat
- Adobe Shockwave
- Adobe PDF Reader
- Java Runtime Environment (JRE)
The following are examples of malware hosted on a compromised server and run by the Blacole exploit pack:
- <domain>/content/g43kb6j34kblq6jh34kb6j3kl4.jar - Exploit:Java/CVE-2010-0840.NK
- <domain>/content/v1.jar - Exploit:Java/Blacole.CE
- <domain>/content/1ddfp.php?f=35 - Exploit:Win32/Pdfjsc.YP
- <domain>/content/2ddfp.php?f=35 - Exploit:Win32/Pdfjsc.YP
Blacole can choose from an arsenal of vulnerabilities when it performs an attack. It probes your PC to find out which products you have installed. It can then choose the vulnerability that has the best chance to gain access to your PC. Currently Blacole uses mainly Java and PDF exploits.
Some of the recent malware files associated with Blacole are:
Loads exploit files
Blacole will load exploits based on which software is vulnerable on your PC. These exploits include:
The downloaded families of malware that we have observed include:
The Blacole exploit pack is sold to hackers for profit. This means hackers are often motivated to use the pack to distribute types of malware that will offset this cost, including:
- Online banking password stealers
- Rogue security software
- Backdoor trojans to leverage additional theft
The first time we saw Blacole in the wild was June 2011.
You can read more about Blacole-related malware in the following blogs:
- Plenty to complain about with faux BBB spam
- Get gamed and rue the day...
- Disorderly conduct: localized malware impersonates the police
Analysis by Shawn Wang, Oleg Petrovsky and Patrick Nolan
You might see the following page:
There might be no other common symptoms. Alert notifications from installed antivirus software might be the only symptoms.