SpiderLabs Blog

“Catch Me If You Can” Trojan Banker Zeus Strikes Again (Part 2 of 5)

Written by SpiderLabs Researcher | May 22, 2012 7:42:00 AM

This is the second blog in this series of blogs. The previous blog provided a general overview of the attack.

"Catch Me If You Can" Trojan Banker Zeus Strikes Again (Part 1 of 5)

In this blog we will discuss the techniques used by the cyber-gang to exploit users' machines. We will analyze Blackhole Exploit Kit as the main attack vector that was used.

Blackhole Exploit Kit

An exploit kit is a Web tool that provides pre-packaged exploits of various vulnerabilities for multiple products, such as Internet Explorer, Adobe Reader, Java and more. Exploit kits are specifically designed for cybercriminals who lack any deep knowledge of programming or hacking. For as little as a few hundred dollars, any cybercriminal can easily start a cyber-attack.

The first version of the Blackhole exploit kit was released in September 2010. Since then, we have witnessed thousands of domains spreading exploits generated by this kit, making it the most popular exploit kit by far.

The version of Blackhole exploit kit that used in the attack serves the following exploits:

Table 1: Vulnerabilities packaged by version 1.2.1 of the Blackhole exploit kit

Below is a snippet of obfuscated code generated by Blackhole exploit kit:

Figure 1: Obfuscated MDAC exploit generated by Blackhole exploit kit

The de-obfuscated code is as shown here:

Figure 2: De-obfuscated MDAC exploit CVE-2006-0003 generated by Blackhole exploit kit

Every several months, the author of the Blackhole exploit kit publishes updates which contain new exploits as well as new obfuscation techniques. It has gained popularity among cybercriminals due to its ever-evolving obfuscation techniques and its easy-to-use control panel.

Control Panel

One of the main parts of any exploit kit is a user-friendly and elegant-looking control panel. The screen shot below shows the Blackhole's control panel. Note: This is a general screenshot of Blackhole's control panel, and not one specific to this attack.


Figure 3: Blackhole exploit kit control panel

The Blackhole exploit kit control panel contains extensive information regarding the attack, including: statistics of infected systems, breakdown by countries, browsers, operating system and vulnerabilities.

According to the statistics presented in the screenshot, which are common in most exploit kit attacks, Blackhole exploited some browser (Internet Explorer) vulnerabilities along with vulnerabilities in applications such as Adobe Acrobat Reader and the Java Runtime Environment.

Figure 4: Thread panel allows administrators to execute multiple attacks on one instance

Using the threat panel, the Blackhole exploit kit allows the administrator to build multiple simultaneous attack programs. For example, the panel above shows one virus targeting PCs in the U.K., while another targets PCs in the U.S. Moreover, the threat panel is also being used as an affiliate program, where the administrator configures threats for users who don't buy the exploit kit but also wish to spread malware.


Figure 5: The virus detection function of Blackhole control panel

Blackhole exploit kit has implemented an option to check the detection of new malware using underground anti-virus file scanners such as scan4you.biz and virtest.com, similar to the Siberia exploit kit. The administrator can check every several hours to determine whether anti-virus vendors detect its malware, and if so, replace it with a new variant.[1]

In the next blog in this series we will show how the cyber gang control the bots before they get into action. We will discuss the advantages and the capabilities of the bot controller that was used in this cyber-attack.

[1] For more information about the Blackhole exploit kit, please see the M86 Security (now part of Trustwave) 2H 2011 Threat Report.