Analysis of .jar attack from blackhole exploit pack.

Yesterday, one of my friend received a legitimate looking email from Internal Revenue Service with subject: Your Federal Tax Payment with a link to tax report.pdf file. He reported it to me and I got a chance to analyze it. Below are some of my findings from the analysis.

Spam Email sample

The link had below obfuscated javascript in the index.html file.

Embedded JavaScript

Javascripts are fairly easy to decode once you understand commonly used functions. Here is the decoded javascript from the html page.

Decoded JavaScript

Closer look at the decoded javascript  revealed that, the hidden iframe redirects the browser to http://busssinemaiformat.info/main.php?page=b230cb0b3aed0e3b [DEAD]

Above site is hosting a blackhole exploit pack which later analyzes the browser for the existing vulnerabilities and if vulnerability is detected then it tries to exploit it using suitable exploit from the kit.

My analysis machine had a vulnerable version of Java and hence my browser was attacked with a .jar hxxp://busssinemaiformat.info/content/g43kb6j34kblq6jh34kb6j3kl4.jar [DEAD] file.

A quick web search at malwaredomainlist.com confirmed our analysis.

MalwareDomainList

Analysis of Jar file:

Jar files are the archive file format typically used to aggregate many Java Class files. After uncompressing the jar file, 5 java class files are extracted.

11/17/2011  01:38 PM    <DIR>          .
11/17/2011  01:38 PM    <DIR>          ..
11/17/2011  01:04 PM               635 Option.class
11/18/2011  12:54 PM             4,681 Search.class
11/17/2011  01:08 PM               765 SP.class
11/18/2011  12:34 PM             1,508 ThreadParser.class
11/18/2011  12:36 PM             1,563 XSLT.class
5 File(s)          9,152 bytes
2 Dir(s)  18,838,183,936 bytes free

I used “DJ decompiler” to decompile the class files. Here is how search.java was decompiled:

Decompiled class file

Search.java files attempt to exploit ‘CVE 2010-0840′ vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context.  The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

Here is what payload tries to attempt:

  • Once the vulnerability is successfully exploited, payload tries to download executable from the timely generated C2 domains and save it by <randomName>.exe e.g. aefsrdgt6u7.exe
  • Silently registers the executable as by calling regsrv32.exe –s <downloadedFile.exe>

I did not get a chance to explore more on the payload as all the .jar files were detected by Microsoft as

  • Exploit:Java/Blacole.BF
  • Exploit:Java/Blacole.BE
  • Exploit:Java/Blacole.BD

Conclusion:

In order to protect yourself from such attacks, make sure you use latest operating systems up to date with all the security patches. Do not click on any hyperlinks received from an unknown source. Use latest version of internet browsers, install anti-virus engine and regularly update it.

Reference:

  • http://urlquery.net/report.php?id=8936
Rating 3.25 out of 5

Leave a Reply

This entry was posted on Sunday, November 20th, 2011 at 5:56 am and is filed under Malware analysis, Web Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes