Skip to content

Blackhole 2: Ransomware Boogaloo–Coming This Fall


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

October was a crazy month, and not just because there’s a major update to the Blackhole exploit kit picking up steam. Solera’s been hitting the road, meeting with people around the country to show off some cool tech and insider views into the latest security threats. In the past month, we’ve also witnessed, and researched, such a profusion of incidents that it’s been hard to keep up with you here, in the blog. I apologize for the relative quiet spell; expect more frequent posts.

As for Blackhole 2 (hey, I didn’t name it), the kit’s use in a campaign to spread keyloggers and ransomware kicked into high gear in the past few weeks. We’ve been getting links to Blackhole-hosting URLs by collecting and analyzing spam email disguised as corporate or social communications, or billing notices.

In a few of the cases, the visual quality of the spam was disconcertingly convincing. One can appreciate the craftsmanship, while damning the purpose. But as clever as the spammers are, they can’t hide the fact that hovering the mouse pointer over the links in the message reveals the real URL the message links to.

But even the most convincing-looking messages still suffer the same cognitive dissonance problem as their less well-dressed counterparts.

My favorite driveby spam of the month was the one that claimed to be a speeding ticket issued by the New-York Police Department – an imaginary construct not to be confused with the unhyphenated department of exactly the same name. Think about this for half a second and the entire premise falls apart.


Let’s put aside the statistical likelihood that a random spam recipient was in New York on the date shown on the ticket, let alone drove Manhattan’s impossibly crowded streets at speeds over 50 MPH. How would the DMV get your email address, and even if they could get it, why would they send the message via LinkedIn? Moreover, why wait 10 months to send a ticket, even if they sent tickets over email? Which they don’t! It makes no sense, like Facebook friend requests coming from the Better Business Bureau’s email address. What is this? I don’t even!

Links in these messages pointed, sometimes, to a page deliberately planted within a legitimate, otherwise unrelated Web site that had been previously compromised. This page serves only to redirect the visitor to yet another Web site, hosting the initial stage of the exploit kit.

It got to be so common, seeing these attack Web domains with the Russian .ru TLD, on port 8080, hosting attacks that I ended up making a DeepSee Favorite just to watch for HTTP traffic to domains with URLs formatted in that way. It remains surprisingly effective at uncovering instances of this one campaign.

In many of the Blackhole-driven infections at the beginning of the month, the payload of choice was either Cridex or Zbot. But in the past couple of weeks, the campaign has shifted gears, delivering ransomware that locks victims out of their computers unless they pony up a Green Dot MoneyPak card number worth $200.

Interestingly, the ransomware payload first needs to pull down the image that it displays full-screen, impeding your ability to use the computer. This means the criminals running the campaign can swap out the phony ransom demand screen any time, just by sending the img.php?gimmeImg command. They did so at least twice during the month.

In the earlier scam, the ransom demand comes, ostensibly, at the behest of “The Firewall of the United States.” The quasi-officialeqsue 1024×768 image warns of dire consequences for illegally downloading something something $200.

About a week later, the fraudsters switched it up to an FBI warning that reads like an alternate opening monologue to the TV show Person of Interest. “All activity of [sic] this computer has been recorded. If you use a webcam, videos and pictures were saved for identification,” the message ominously begins. “You can be clearly identified by resolving your IP address and the associated hostname,”  Comrade Obvious continues. It’s the same old schtick.

The malware checks in periodically with its command-and-control server, and also phones home any time you enter a series of numbers into the ransomware payment form (shown above in the text= query string). I managed to accidentally crash the malware the first time I played around with entering numbers into the form. I’ve always said, malware guys do a terrible job at QA. But I wouldn’t count on that happening every time.

One of the ransomware C&C domains,, was hosted in Turkey. Another ransomware C&C domain,, was hosted not in India, as its TLD would suggest, but in Tehran.

The samples we saw used the same naming conventions in the URLs they sent back to the C&C server, so I came up with a few other quick favorites based on these characteristic behaviors.

Blackhole 2 is still new, and seems to be growing in popularity while it evolves. Take, for instance, these two snapshots of Blackhole 2 incidents, one earlier in the month, the other on Halloween.

In the earlier attack, the exploit kit loaded the same malicious Java applet nine times before it successfully retrieved an executable—even after a malicious PDF had already accomplished the same task. Total exploit time topped 36 seconds, an eternity in cybercrime-time.

In the later attack, it was all down to business and finished in six seconds, with no duplications, using a domain that was so fresh it still had that new-site smell.Solera blog stats

Comments are closed.

%d bloggers like this: