Topic: Symantec Warns: BlackHole toolkit is spreading like wildfire (Trojan.Carberp)

[Samker]

Symantec has cautioned about the BlackHole toolkit, which has a powerful set of exploits and is spreading like wildfire. In a release issued on Monday, Symantec said that at present, it is the most prevalent exploit toolkit in the wild and can easily be compared with the likes of Neosploit and Phoenix in terms of the number of affected users.

Symantec recently reported the increasing utilization of sophisticated toolkits by criminals who would otherwise lack the technical expertise for cyber attacks, fueling a self-sustaining, profitable, and increasingly organized global economy.

Toolkits account for 61 per cent of all threat activity on malicious websites

In recent times, BlackHole has clearly emerged as the most used toolkit among hackers. The following IPS graph proves this fact, since more than 100,000 malicious hits are reported each day:




How BlackHole works:

·         When victims visits a clean site that has been injected with a malicious iFrame, they are redirected to the BlackHole exploit kit server. BlackHole obfuscates the exploits for popular vulnerabilities such as PDF, JAVA, HCP, MDAC, etc.

·         The page contains the code that redirects the user to download a malicious jar file. One of the classes inside the jar file extracts the value passed to it in the script, and then decodes it into a URL. This URL is then used to perform other malicious downloads.

·         The URL downloads Trojan.Carberp, which is a highly sophisticated Trojan that is being compared to ZeuS because of its ingenious techniques for avoiding detection.

·         The Trojan posts a unique ID to the command-and-control (C&C) server that will be used every time a transaction takes place between the Trojan and the C&C server. Next, the Trojan will post all of the running processes on the victim’s computer to the C&C server.


The Trojan then downloads three modules:

o    stopav.plug – This module disables the antivirus installed on the victim’s computer.

o    miniav.plug – Checks for the presence of other Trojans, such as Zeus, and if found, the Trojan deletes its  competitor(s).

o    passw.plug – It will log every username/password combination that is typed, as well as any URLs visited.


The C&C server sends the “multidownload” command to the Trojan:

o    The first file downloaded is Trojan Hiloti (a.k.a. Trojan.Zefarch), which makes requests to a free file-hosting site.

o    The second file downloaded (2.exe) is FakeAV


(ciol)


Got a problem, or just suspect that your PC is "infected" with MalWare (virus, trojan, worm, spyware...)?!

Ask for help here -> SCforum's "PC Help Center": http://scforum.info/index.php/board,16.0.html

[haz]

Wow ! that is serious stuff !
But I think that if your systems are up-to-date, you wont have these "popular vulnerabilities", right ?
Thanks for the news

[Samker]

But I think that if your systems are up-to-date, you wont have these "popular vulnerabilities", right ?

In my opinion, it depend of Anti-Virus Labs... how quickly they will react on new variants of this tool... for example Conficker worm: variants A,B,C...

[madchip]

  Usually if you have your system up to date and a good antivirus (up to date too  ) and know what do you make with your pc, you are protected

But now if you click on every message who appear on screen => example : your pc is vulnerable, you must click for resolve this or Your PC is infected with a virus download XXXX to eliminate we know the rest