Blackhole Exploit Kit Served With Google Images Links
Posted by admin on Saturday, June 25th, 2011 | 20,627 views
While searching images on Google Images, we noted a suspicious redirect:
hxxp://epnfmackey. info/index.php?tp=81350e0ebb536599 |
It looks like the Blackhole Exploit Kit URL format!
Malicious code can be found by analyzing the page source:
The main redirect was created by this malicious URL:
hxxp://www.buy-itraconazole. info/noob-tube&page=6 |
Analysis from NoVirusThanks Sandbox:
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 69.197.128.251 - 80 Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - www.buy-itraconazole.info - /noob-tube&page=6 File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\CA5W03HT.htm - 994C86779A58280B51A47C9C82A2BC59 - 3116 bytes - attr: [] - - Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 109.230.246.235 - 80 Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - epnfmackey.info - /index.php?tp=81350e0ebb536599 File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\noob-tube&page=6[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - - File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\index[1].htm - 08C705F161225EC75DF38A33DC50A692 - 46164 bytes - attr: [] - - Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 109.230.246.235 - 80 Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - epnfmackey.info - /d.php?f=32&e=4 Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 65.55.13.243 - 80 Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - POST - activex.microsoft.com - /objects/ocget.dll File Modified - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\B2H662ZO\calc[1].exe File Modified - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe Process Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe - Unknown Publisher - EF3E6A8D8C192FBF565A6D0894BF9256 - 13056 bytes File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\B2H662ZO\calc[1].exe - EF3E6A8D8C192FBF565A6D0894BF9256 - 13056 bytes - attr: [] - PE File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe - EF3E6A8D8C192FBF565A6D0894BF9256 - 13056 bytes - attr: [] - PE Connection Established - %UserProfile%\adobeupdate.exe - TCP - 77.79.11.74 - 25 Connection Established - %UserProfile%\adobeupdate.exe - TCP - 77.79.11.74 - 8000 File Modified - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_1.tmp Process Created - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_1.tmp - Unknown Publisher - 874CE64099537E11E0D52C7D364BD51C - 41984 bytes File Modified - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_2.tmp Process Created - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_2.tmp - Unknown Publisher - F6EC42C9E943A89D15473416669BCCED - 133632 bytes File Modified - %AppData%\IMPOST~1\Temp\_2.tmp - C:\WINDOWS\system32\dimsntfy32.dll File Created - %UserProfile%\adobeupdate.exe - %Temp%\_1.tmp - 874CE64099537E11E0D52C7D364BD51C - 41984 bytes - attr: [] - PE File Created - %UserProfile%\adobeupdate.exe - %Temp%\_2.tmp - F6EC42C9E943A89D15473416669BCCED - 133632 bytes - attr: [] - PE Connection Established - %AppData%\IMPOST~1\Temp\_1.tmp - TCP - 95.143.35.118 - 80 Web Request - %AppData%\IMPOST~1\Temp\_1.tmp - POST - 95.143.35.118 - /2/gate_goo.php File Created - %UserProfile%\adobeupdate.exe - %Temp%\_2.tmp - F6EC42C9E943A89D15473416669BCCED - 133632 bytes - attr: [-normal] - PE File Created - %AppData%\IMPOST~1\Temp\_2.tmp - C:\WINDOWS\system32\dimsntfy32.dll - 25A0121173968364ACC7AC8005EDAEE0 - 113664 bytes - attr: [] - PE |
Both malicious domains are detected by only 1 blacklist:
http://www.urlvoid.com/scan/epnfmackey.info
http://www.urlvoid.com/scan/buy-itraconazole.info
Pay attention when searching for images in Google Images!
