Following WordPress into a Blackhole
When we looked into the recent wave of WordPress site hacks, our investigation took two separate paths: uncovering the TimThumb vulnerability and the Black Hole Toolkit used to exploit it.
Now it is time to talk more in detail about what the Blackhole Toolkit is.
For starters, the Blackhole exploit kit is used to spreading malicious software to users through hacked legitimate sites. It was most likely made by Russia developers. The big clue for this is that operators can switch between Russia and English languages. The full version of this toolkit costs around $1500 on the black market. However, bargain hunters can find a stripped down version for the free online.
But, much more important than acquiring Blackhole is finding out how to get rid of it. More precisely, simply finding out if you have been infected. So, how can website owner recognize that his page was infected and has been blocked by an antivirus program because it is being misused as a redirector to site with Blackhole exploit kit? And how do they compromise your site?
The bad guys are using a security vulnerability in non-updated TimThumb. This allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files. But this is not the only way for example they use stolen passwords to direct FTP changes.
In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js
These files contain code that looks really suspicious.
In bottom part of code, there is a request to http://18.104.22.168/url.php where only one line of code is stored: assa =’Domain with Black Hole exploit kit’;
In function Make, you can find the first iframe to a legitimate site.
element.src = “hXXp://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js”;
This iframe will be replaced by a malicious iframe in next step.
When a computer user moves his mouse, this starts ‘Function MakeFrame’ where a malicious iframe is built from variable assa: ‘http://Domain with Black Hole exploit kit’.
This iframe is served to the user and the user is subsequently redirected to a new site where the Black Hole exploit kit is located.
Now, a really good question is what will happen to next to the user. The unsuspecting user will download a JAR (Java Archive) file and one of the classes within this JAR file will decode its parameters into a text URL. This URL will be concatenated (two character strings joined end-to-end) with an HTTP GET parameter to download other malicious files to user’s PC.