Exploit:JS/Blacole.O is a JavaScript component of an exploit kit distributed as "Blackhole kit". It is used to execute exploit code in different Internet browsers.
Installation
Exploit:JS/Blacole.O uses code exploits for known software vulnerabilities in Java platform, Adobe Flash and Reader.
It uses the exploit code for the following vulnerabilities to download malicious files to the infected computer:
Upon accessing a webpage infected with Exploit:JS/Blacole.O, the following may be displayed:
Payload
Exploits vulnerabilities to download arbitrary files
Exploit:JS/Blacole.O exploits a known vulnerability in the Java Deployment Toolkit (explained in CVE-2010-0886).
It attempts to load arbitrary Java code with the current user's privileges from a remote location to download and execute a binary file from a specified URL.
In the wild, we have observed the exploit accessing the following remote location:
- 129.121.64.53 /Home/w. php?f=16&e=3
The downloaded file is saved in the following directory as:
Note: At the time or writing, the URL specified was no longer active.
Exploit:JS/Blacole.O also exploits a known vulnerability in Microsoft Help Center described in MS10-042 and CVE-2010-1885. Successful exploitation leads to the download and execution of files from a specified URL.
In the wild, we have observed the exploit accessing the following remote location:
- 129.121.64.53 /Home/w.php?f=16&e=3
The downloaded file is saved in the following directory as:
Note: At the time or writing, the URL specified was no longer active.
Exploit:JS/Blacole.O also checks the installed software version of the Internet browser, Adobe Reader and Flash on the affected computer.
It loads a file from a specified URL; depending on the software version, these files may be malicious. To do this, it exploits the following vulnerabilities:
The files containing the exploit code are loaded in the following directories:
- ./content/1ddfp.php?f=16
- ./content/2ddfp.php?f=16
Downloads other malware
Exploit:JS/Blacole.O attempts to load a file from a certain URL, which is commonly within a malicious Java applet:
where <domain> is the domain name where Exploit:JS/Blacole.O is located.
Analysis by Zarestel Ferrer
