Blackhole Exploit Kit Served With Google Images Links

Posted by on Saturday, June 25th, 2011  |  28,538 views

While searching images on Google Images, we noted a suspicious redirect:

hxxp://epnfmackey. info/index.php?tp=81350e0ebb536599

It looks like the Blackhole Exploit Kit URL format!

Malicious code can be found by analyzing the page source:

Image

The main redirect was created by this malicious URL:

hxxp://www.buy-itraconazole. info/noob-tube&page=6

Analysis from NoVirusThanks Sandbox:

Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 69.197.128.251 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - www.buy-itraconazole.info - /noob-tube&page=6
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\CA5W03HT.htm - 994C86779A58280B51A47C9C82A2BC59 - 3116 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 109.230.246.235 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - epnfmackey.info - /index.php?tp=81350e0ebb536599
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\noob-tube&page=6[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\index[1].htm - 08C705F161225EC75DF38A33DC50A692 - 46164 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 109.230.246.235 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - epnfmackey.info - /d.php?f=32&e=4
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 65.55.13.243 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - POST - activex.microsoft.com - /objects/ocget.dll
File Modified - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\B2H662ZO\calc[1].exe
File Modified - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe
Process Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe - Unknown Publisher - EF3E6A8D8C192FBF565A6D0894BF9256 - 13056 bytes
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\B2H662ZO\calc[1].exe - EF3E6A8D8C192FBF565A6D0894BF9256 - 13056 bytes - attr: [] - PE
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe - EF3E6A8D8C192FBF565A6D0894BF9256 - 13056 bytes - attr: [] - PE
Connection Established - %UserProfile%\adobeupdate.exe - TCP - 77.79.11.74 - 25
Connection Established - %UserProfile%\adobeupdate.exe - TCP - 77.79.11.74 - 8000
File Modified - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_1.tmp
Process Created - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_1.tmp - Unknown Publisher - 874CE64099537E11E0D52C7D364BD51C - 41984 bytes
File Modified - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_2.tmp
Process Created - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_2.tmp - Unknown Publisher - F6EC42C9E943A89D15473416669BCCED - 133632 bytes
File Modified - %AppData%\IMPOST~1\Temp\_2.tmp - C:\WINDOWS\system32\dimsntfy32.dll
File Created - %UserProfile%\adobeupdate.exe - %Temp%\_1.tmp - 874CE64099537E11E0D52C7D364BD51C - 41984 bytes - attr: [] - PE
File Created - %UserProfile%\adobeupdate.exe - %Temp%\_2.tmp - F6EC42C9E943A89D15473416669BCCED - 133632 bytes - attr: [] - PE
Connection Established - %AppData%\IMPOST~1\Temp\_1.tmp - TCP - 95.143.35.118 - 80
Web Request - %AppData%\IMPOST~1\Temp\_1.tmp - POST - 95.143.35.118 - /2/gate_goo.php
File Created - %UserProfile%\adobeupdate.exe - %Temp%\_2.tmp - F6EC42C9E943A89D15473416669BCCED - 133632 bytes - attr: [-normal] - PE
File Created - %AppData%\IMPOST~1\Temp\_2.tmp - C:\WINDOWS\system32\dimsntfy32.dll - 25A0121173968364ACC7AC8005EDAEE0 - 113664 bytes - attr: [] - PE

Both malicious domains are detected by only 1 blacklist:

http://www.urlvoid.com/scan/epnfmackey.info
http://www.urlvoid.com/scan/buy-itraconazole.info

Pay attention when searching for images in Google Images!

Posted by on Saturday, June 25th, 2011 at 11:33 am and filed under Security News with tags , , , , . You can skip to the end and leave a response. Pinging is currently not allowed.

Random Posts

Previous Posts