A technical paper by Fraser Howard, SophosLabs, UK
2.3.3 Exploit components
The landing page will load files that target the exploits relevant to the victim’s machine (based on the information determined from fingerprinting). The following file types are used by Blackhole:
[removed]/content/ap1.php?f=b6863 (type 1)
[removed]/content/ap2.php?f=b6863 (type 2)
[removed]/content/fdp2.php?f=50 (type 2)
Two Flash files are loaded, from URLs such as those listed below:
[removed]/content/field.swf (type 1)
[removed]/content/score.swf (type 2)
Blackhole is one of the reasons behind the press interest in Java vulnerabilities recently. Anecdotal evidence* collected during the past year indicates that it is predominantly the Java vulnerabilities that lead to users getting infected by Blackhole. The Java content is loaded via JAR files, from URLs such as that listed below:
Interestingly Blackhole uses the Java Open Business Engine (Java OBE) to load the CVE-2010-0842 exploit code and infect the victim.
Figure 6: An applet HTML element used to load malicious Java content. Note the obfuscated URL passed in via the applet parameter.
One of the class files within the JAR archive decodes the URL parameter in order for the executable payload to be downloaded. Figure 7 illustrates the Java code used to do this.
Figure 7: Snippet of Java code responsible for decoding the obfuscated URL included as a parameter in the applet element of Figure 6.
As you can see, deobfuscation requires two additional strings initialized in the malicious class file. For this example, the applet parameter decodes to the path of the executable payload:
The exact same trick of passing the obfuscated payload URL via the applet parameter is not unique to Blackhole. Recently we have seen the trick used by an exploit kit known as Jupiter (Figure 8).
Figure 8: Extract from the Jupiter landing page, illustrating the same obfuscated URL trick that Blackhole uses (Figure 7).
See Section 3.4 for some examples of how Blackhole aggressively modifies and obfuscates the applet element in order to evade detection. Recent flavours of the landing pages also use additional data prepended to the start of the obfuscated URL string!
Blackhole also targets the much publicized vulnerability in Microsoft Help and Support Center, (CVE-2010-1885). The kit adds an iframe to load content from a malformed hcp:// URL, in order to run a script that writes out a VBS.
Figure 9: Snippet of code used in exploiting CVE-2010-1885
The VBS attempts to download further content from hcp_vbs.php (CVE-2006-0003) or hcp_asx.php.
* Through private communications with individuals from several organisations