Exploit:JS/Blacole.J is a JavaScript component of an exploit kit distributed as "Blackhole kit". It is used to execute exploit code in different Internet browsers.
Installation
Exploit:JS/Blacole.J uses code exploits for known software vulnerabilities in Java platform, Adobe Flash and Reader.
It uses the exploit code for the following vulnerabilities to download malicious files to the infected computer:
Upon accessing a webpage infected with Exploit:JS/Blacole.J, the following may be displayed:
Payload
Exploits vulnerabilities to download arbitrary files
Exploit:JS/Blacole.J exploits a known vulnerability in the Java Deployment Toolkit (explained in CVE-2010-0886).
It attempts to load arbitrary Java code with the current user's privileges from a remote location to download and execute a binary file from a specified URL.
In the wild, we have observed the exploit accessing the following remote location:
- qerfyhufghasdfvyugeqrtrgpoi.ce.ms / i.php?f=16&e=3
The downloaded file is saved in the following directory as:
Note: At the time or writing, the URL specified was no longer active.
By exploiting the vulnerability outlined in CVE-2011-2110, the malware attempts to load an exploited SWF file onto the system in order to download potentially malicious files to the infected computer.
In the wild, we have observed the exploit accessing the following remote location:
- qerfyhufghasdfvyugeqrtrgpoi.ce.ms /i.php?f=16&e=8
The downloaded file is saved in the following directory as:
Note: At the time or writing, the URL specified was no longer active.
Exploit:JS/Blacole.J also checks the installed software version of the Internet browser, Adobe Reader and Flash on the affected computer.
It loads a file from a specified URL; depending on the software version, these files may be malicious.
Downloads other malware
Exploit:JS/Blacole.J attempts to load a file from a certain URL, which is commonly within a malicious Java applet:
where <domain> is the domain name where Exploit:JS/Blacole.J is located.
Analysis by Zarestel Ferrer
