Tuesday, March 20, 2012
Greetings to sympt0m
My friend David Keaton, aka sympt0m has created a blog. I'm excited to see what he has to say. I'm ready to absorb that reverse engineering knowledge you have, buddy. Let it fly!
Friday, March 16, 2012
Blackhole Exploit Kit (Part 1)
If you are involved in any type of incident response for your organization, you've most likely heard about the Blackhole Exploit kit. This threat, seemingly of eastern European origin, has been making its rounds over the last year. Recently, I have been observing an increase in activity related to the Blackhole exploit kit. So far, the delivery methods that I have observed involve dropping a .jar file and .class files on the target system. Today, I observed something a bit different.
Take a look at the following analysis report from VirusTotal:
https://www.virustotal.com/file/19d0218d21f8f3d30bbf0dbd6a487d8ae4d86b696c678c33eb5b5042ef6f3e3e/analysis/
The file scores a 0/42. This is not the first time, nor will it be the last time that this situation occurs. Perhaps this is the newest variant and I happened to catch it during an initial release. One thing that does concern me is that this threat appears to be different from the previous version I observed just a week ago. I'd be interested to hear observations from anyone else who is actively tracking this threat.
Emerging threats like these are the reason why human involvement is still key in incident response and analysis of suspicious activity. The BHEK seems to be implementing a high amount of obfuscation in order to avoid signature-based detection. While this is neither surprising or new, it does seems to show that these guys are more than one step ahead of the current defense systems we all employ. I am hoping to test out the dynamic aspects later today to see what is revealed.
More to come...
Take a look at the following analysis report from VirusTotal:
https://www.virustotal.com/file/19d0218d21f8f3d30bbf0dbd6a487d8ae4d86b696c678c33eb5b5042ef6f3e3e/analysis/
The file scores a 0/42. This is not the first time, nor will it be the last time that this situation occurs. Perhaps this is the newest variant and I happened to catch it during an initial release. One thing that does concern me is that this threat appears to be different from the previous version I observed just a week ago. I'd be interested to hear observations from anyone else who is actively tracking this threat.
Emerging threats like these are the reason why human involvement is still key in incident response and analysis of suspicious activity. The BHEK seems to be implementing a high amount of obfuscation in order to avoid signature-based detection. While this is neither surprising or new, it does seems to show that these guys are more than one step ahead of the current defense systems we all employ. I am hoping to test out the dynamic aspects later today to see what is revealed.
More to come...
Subscribe to:
Posts (Atom)