Blackhole Exploit Kit / SpyEye Rootkit | Joachim De Zutter
March 2012

sp30.jar was found in the JVM cache:

# strings /Users/Username/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/46/6db94b2e-2191dc6a.idx

"http://ganuba8.in/content/sp30.jar
178.162.181.85

HTTP/1.1 200 OK
content-length
9722
last-modified
Fri, 16 Mar 2012 18:29:50 GMT
content-type
application/java-archive
date
Sat, 17 Mar 2012 18:27:10 GMT
server
nginx
deploy-request-content-type
application/x-java-archive

ganuba8.in resolved to 178.162.181.85 (18/03/2012)

http://www.utrace.de/?query=178.162.181.85
Provider: Leaseweb Germany GmbH (previously netdirekt e. K.) (Germany)

ganuba1.in, ganuba2.in, ganuba3.in, ganuba4.in, ganuba5.in, ganuba6.in, ganuba7.in and ganuba9.in resolved to 178.162.181.85 (20/03/2012)

The following checksums were found for sp30.jar:

Filename: /Users/Username/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/46/6db94b2e-2191dc6a
Filesize: 9730
MD5: 89c07f20c6c10851540adda8a3606a7c
SHA1: 2e883d53cc5fc925385a223982468f9841b97144
SHA256: 5c15cece2e3f3b0745bd1b7b6f6f1175621085cbb8da80dbf338aad5f730f4bc

sp30.jar contains the following files:

# unzip -l sp30.jar
   Length     Date   Time    Name
 ---------    ----   ----    ----
     12059  03-15-12 13:07   a/Help.class
      2889  03-15-12 13:07   a/Test.class
         0  03-15-12 13:07   a/
 ---------                   -------
     14948                   3 files

Filename: Help.class
Filesize: 12059
MD5: 7952298a7108f7a467063c9231301756
SHA1: d55149d2a41fb8a51e3c5e6bb48fb0472347e304
SHA256: ca0de11fd0d79c1c32a892a9a8e601abba54eaa8e00f840d2d428aafa3a3b539

Filename: Test.class
Filesize: 2889
MD5: 64903f996d46f98b244cd4adcf19a482
SHA1: 81b51ed727a0b718478e107a7409e05b7298c226
SHA256: 836fc0b333ce7196040c1b05c7a0d5025ede05c64f79df89c5003b809b659303

"Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting." - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544

Qai.jar was found in the JVM cache:

# strings /Users/Username/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/56/5a128b38-37b6ba94.idx
!http://ganuba8.in/content/Qai.jar
178.162.181.85
<null>
HTTP/1.1 200 OK
content-length
18876
last-modified
Fri, 16 Mar 2012 09:13:54 GMT
content-type
application/java-archive
date
Sat, 17 Mar 2012 18:27:10 GMT
server
nginx
deploy-request-content-type
application/x-java-archive

The following checksums were found for Qai.jar:

Filename: /Users/Username/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/56/5a128b38-37b6ba94
Filesize: 18884
MD5: 2278a405cf83c0d4f7481382c5e133a9
SHA1: 11a0a105a77ef993ba1e97822adf3ef7fbd79404
SHA256: 754b195379fd6c04630e1cf802b2fb8d6b2691975274b2e1145c30cb542d2e03

Qai jar contains the following files:

# unzip -l Qai.jar
   Length     Date   Time    Name
 ---------    ----   ----    ----
      5370  03-16-12 12:38   s_a.class
      1261  03-16-12 12:38   ER.class
     10634  03-16-12 12:38   Inc.class
       739  03-16-12 12:38   s_d.class
      2678  03-16-12 12:38   lz.class
      8219  03-16-12 12:38   s_b.class
      1954  03-16-12 12:38   s_c.class
 ---------                   -------
     30855                   7 files

Filename: s_a.class
Filesize: 5370
MD5: 4ae648e32c34ca0c3803c6192a0f02cd
SHA1: 6d1cf2be1f36ed5e713b5833e8ab5ba25078d1fe
SHA256: d03cb27a1b8beeaa989f19b6c107d6516fca8edb80b2f6bbd59e14c3cc0a6522

Filename: ER.class
Filesize: 1261
MD5: ca7145642133ca668446acd0894d504e
SHA1: 987f94ebeb5a10b29bae40f83d3a5b9b5cbdf97e
SHA256: 6c50c27c7867a3e204de46d1eef4e73829d027a7ebaa9003967bf671e6c17385

Filename: Inc.class
Filesize: 10634
MD5: 59414268b2fd5a732dd31e6f56daea2e
SHA1: 62b517a8b07e52409505b9e5be59196d0e72eb12
SHA256: 7bd6ff3944dc497e77332dbc812ec5dceca06a7e7800bfff3ad489593405707a

Filename: s_d.class
Filesize: 739
MD5: 4748c630d718e04de3d067c0adb27e25
SHA1: 482a19ba89bdb170f3fc3ab2772dbd5aa32740da
SHA256: 233f561ff5272c16180d2083630858c828dcfc9554b732d4308e13b905df4cf7

Filename: lz.class
Filesize: 2678
MD5: 5d001bc96ce16935520c84a93e9e5598
SHA1: 4d081416db9e48091fae3c78a35e8605e574aa2f
SHA256: 5d37a4b3ba67233a4d94a13bcc3d46fd3376fcfc73dad7df011f6d24a38b4c21

Filename: s_b.class
Filesize: 8219
MD5: 6483a81809675c2ab3f8038c2f79de3c
SHA1: f62cabe9acca8a55a12c1542825a6f8762c9627c
SHA256: 7dfe2732932fc690cec6fa6c42b534c179b06d93d1a550c38ac51308df898a23

Filename: s_c.class
Filesize: 1954
MD5: 86d05808036d3e40a75d48a281a59252
SHA1: 941b236f7f751ab1121a636383301c94e1f7c2f2
SHA256: 851704738c3482d940433d857bf4118555295b520575c68ee8befdeae7607178

Snort emerging signatures:
http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/15005

SophosLabs Technical Paper: Exploring the Blackhole Exploit Kit

AVG Threat Labs: Blackhole Exploit Kit

The installed JRE was Sun Oracle Java Version 6 Update 24 (build 1.6.0_24-b07)

The malware executable download URL was http://ganuba8.in/w.php?f=46bca&e=6 (down 11/05/2012)
178.162.181.85
<null>
HTTP/1.1 200 OK
content-length
162816
expires
Sat, 17 Mar 2012 18:08:46 GMT
content-type
application/x-msdownload
date
Sat, 17 Mar 2012 18:27:15 GMT
server
nginx
pragma
public
cache-control
private

The AVG resident shield identified 6270ED6603A5E1F as PSW.SpyEye

The following files were found under %WINDIR%\Prefetch\ :
-rwxrwxrwx 2 root root   10332 2012-03-17 18:11 77757551359.EXE-C29731DE.pf
-rwxrwxrwx 2 root root   15266 2012-03-17 18:11 CA0A4982D38.EXE-098E25F5.pf
-rwxrwxrwx 2 root root   28538 2012-03-17 18:10 CRASHREPORTER.EXE-918F1BCE.pf
-rwxrwxrwx 2 root root   19954 2012-03-17 18:10 0.7572960790685043.EXE-3DBDD161.pf
-rwxrwxrwx 2 root root   96648 2012-03-17 18:10 JAVAW.EXE-5E861B5A.pf
-rwxrwxrwx 2 root root   15158 2012-03-17 18:09 0.8381954061348671H7I.EXE-51509DA5.pf
-rwxrwxrwx 2 root root  130052 2012-03-17 18:09 JAVA.EXE-BE8A91FF.pf
-rwxrwxrwx 2 root root   16238 2012-03-17 18:09 JP2LAUNCHER.EXE-B5C8DF2E.pf
The prefetch file 0.8381954061348671H7I.EXE-51509DA5.pf indicated that the file %USERPROFILE%\AppData\Local\Temp\0.8381954061348671H7I.EXE was executed, but that file couldn't be found on the filesystem afterwards. The prefetch file 77757551359.EXE-C29731DE.pf indicated that the file %USERPROFILE%\Appdata\Local\Temp\77757551359.EXE was executed, but that file couldn't be found on the filesystem afterwards either. The following files were found on the filesystem :
Filename: %USERPROFILE%\AppData\Local\Temp\0.7572960790685043.exe
Filesize: 162816
MD5: ba645abf76839818b380f5142ac6c2ab
SHA1: c1618ffd36f689883b79b37b8abd3cc39600ba2c
SHA256: e8e661b62136d5569cd04cdb22e85e763c037d60e936c17b225fccef63399e90

Filename: %SystemDrive%\sooi832.bin\CA0A4982D38.exe
Filesize: 162816
MD5: bf9be767d21898405628c8b0c59b8dae
SHA1: 4df08e047d9d4e267bda0d0a0243eaea5304088a
SHA256: 6a4dac0e19442e7a11bf39cdec7f0512aba8fe06ba69c6fff74717e0c57ad013

Filename: %SystemDrive%\sooi832.bin\6270ED6603A5E1F
Filesize: 888977
MD5: 1799e0797e4d575d4750bca70916d480
SHA1: aa0f2e142daa5f2c207ed7cd18424c4cde76b42a
SHA256: 2f33d5c0a060aa3cccd1a7c2714a4fd28ee422323ff3eac9dec79b5780e1b338
The following startup registry key was created:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
UJ7J2I3X3GVE4BYWZNO = %SystemDrive%"\sooi832.bin\CA0A4982D38.exe /q"
Filenames: 278A408Fd01, 7970079Cd01, D350CB81d01, F3E5C21Bd01
Filesize: 389120
MD5: f9099fd427286c9273e82fbffc2de102
SHA1: 4df14ae717608d8c2dca106e0c715344ce864624
SHA256: c356e80b6e86f0215cfa20b27054d2f262935631cd4a853209a97fc66b175f3a
The executable with MD5 checksum ba645abf76839818b380f5142ac6c2ab performed a DNS query for bys1nessbank1ng.info

The file with filename 6270ED6603A5E1F was replaced.
Filename: %SystemDrive%\sooi832.bin\6270ED6603A5E1F
Filesize: 5315
MD5: 7f9a665ec1dbec7bd974ff537e4cb18c
SHA1: d56c208ec63b758b4883b1c378645277f5a4ebf3
SHA256: ec28a53affa2e18a0ad9a5414cda7b317a60f3ff01d5179b20a08b6d57da17fb
The rootkit behavior can be witnessed by opening a command prompt, and executing cd \sooi832.bin
If that doesn't cause an error message and doesn't move the user into the directory \sooi832.bin\, the rootkit is active.