To illustrate a post to come on Blackhole Transition here are some numbers for the /home/ aka q.php Blackhole aka Darkleech fuelled.
Note : Darkleech module filter user-agent. Infection tried only on IE (so Opera/Mozilla and others are researchers or honeyclient etcs). Then Blackhole also filter on IE (so 0 infections for others)
Note : Thread Name. Number of Loads. Browser Filter on blackhole side too. |
File : q.php = Pony - Thread mod1 Lock : a.php = Nymain.a - Thread adult (inactive since december) |
They were pushing Pony which was then (depending of your country) pushing Urausy or Nymaim.b (which itself was loading Zaccess or Nymaim.a Ransomware). Sébastien Duquette from Eset wrote a nice post about that.
Nymaim.A - Urausy Variant with B&W Zoo/CP images (Careful : this design has also been used by Bomba Locker) |
Nymaim.A -US Design |
2013-04-09 - 20:17 (RU Time) - 31081 infections in 20 hours
q.php Blackhole - 2013-04-09 - 20:17 RU Time Note the thread name : mod1 |
2013-04-09 - 21:07 (since monday (day before - 45 hours) numbers) |
2013-04-11 - 22:22 - 29398 infections in around 22 hours
q.php Blackhole - 2013-04-11 - 22:22 RU Time |
2013-04-12 - 20:29 - 26319 infections in 20.5 hours
q.php Blackhole - 2013-04-12 - 20:29 RU Time |
Note : Reveton group were doing as good as this (at least in oct/nov 2012) with Cool EK
Read more :
There are a huge number of posts about this group so i made a selection.
Dissecting FireEye's Career Web Site Compromise 2013-09-18 Dancho Danchev
The Home Campaign: overstaying its welcome 2013-07-02 Sébastien Duquette - Eset
The Evil Came Back: Darkleech's Apache Malware Module - 2013-03-24 -Hendrik Adrian - MalwareMustDie
1940 IPs for a BHEK/ULocker server - Nexcess-Net - 2012-09-14
Post Publication Reading :
Nymaim: Browsing for trouble - 2013-10-23 - Jean-Iain Boutin - Eset