I was recently having a conversation online in a forum about online reputation and about refuting false claims posted on customer complaint sites. In this particular conversation I was having, the person was falsely accused of bad business practices.

In the States, if you experience an injustice from a bad business dealing, you can complain and report that business to an organization named the Better Business Bureau (BBB). In this particular incident, the falsely accused party wasn't reported to the BBB, but a claim was posted to a site named "ripoffreport".

In a slight coincidence, and not long after the conversation, I noticed an email message in my inbox with the subject "Re: BBB Case # 77518746" and a spoofed sender email address impersonating the Better Business Bureau, complete with a copy of the official BBB logo, obviously from the BBB site. The email body contained a hyperlink, and an ominous claim about a "complaint from one of your associates":

BBB spam

I learned that the BBB is aware of the spam and posted an alert on their site, and also offer the following suggestions:

To verify the legitimacy of BBB complaints, contact Better Business Bureau locally. Consumers or businesses who have received the fraudulent emails are asked to report them to http://bbb.org/scam/report-a-scam.

The hyperlink in the message labeled "click here" pointed to an HTML page "index.html" on a compromised domain. I retrieved the index HTML page and its content was very minimal, yet suspicious, with links to a JavaScript file named "ajaxam.js" (example SHA1: eba97868820c92a3fd8cd2d3671b530c6c434b7c) in three other domains:

Malicious 'index.html' page

The domains referenced in the script appear to have been compromised for this attack. Two of the links for the "ajaxam.js" script were dead but a third was not. That .JS file contained a simple one line document location instruction to yet another domain and server-side PHP script (SHA1: ff27f95681c1dd19ad48e133107d532f6f6f8644):

ajaxam.js script content


This request results in the delivery of an obfuscated script file that, when run, attempts to exploit CVE-2010-1885. This particular vulnerability is also known as the "Help Center URL Validation Vulnerability", mitigated by Microsoft Security Bulletin MS10-042. On a vulnerable computer, this script exploit would have dropped and executed malware detected as PWS:Win32/Zbot.gen!AF (SHA1: 291aa262ab0a41675b733d1cddfb5b4b).

This scheme of redirection and executing obfuscated script with these certain exploits was none other than the "Blackhole" exploit pack, aka Blacole.

Blackhole (image courtesy of MMPC)

This BBB spam run occurred at least twice in the month of December and employed the Blacole exploit. The Blacole exploit pack is developed and sold as a collection of attack code that uses various exploits. It is typically purchased by an attacker and installed on servers that have already been compromised through various other attack methods. Through iterations and development of the Blacole exploit pack, the malware attempts to exploit several of the following vulnerabilities in order to deliver and install malware within vulnerable computers:

  • CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
  • CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
  • CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
  • CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code
  • CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
  • CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
  • CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
  • CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
  • CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
  • CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin
  • CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
  • CVE-2010-3552 - Sun Java Runtime New Plugin docbase Buffer Overflow (aka "Java Skyline exploit")
  • CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
  • CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability
  • CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier

Prevention

Protection against the Blacole exploit pack requires that your third-party applications, specifically multiple components of Oracle Java and Adobe applications, are updated to the latest available and secure versions. It is important that vulnerable versions are removed and not left installed for malware to abuse and exploit.

For personal computers, there are security applications, such as the following, that offer vulnerability scanning and can assist in identifying vulnerable installations:

And as keeping software up-to-date applies for all systems, check out "MetaQuark AppFresh" to help identify software that needs updating on Mac operating systems.

It's worth mentioning again (and without fear of being redundant!) to reduce risk against Blacole, replace insecure programs with secure versions. In conclusion, we remind you to use best practices and to use security software to promote a healthy digital ecosystem.

--Patrick Nolan, MMPC