20 February 2012
Report the Blackhole Infection on a Computer
A sends:
"I've read that you recently been infected with the Blackhole Toolkit. I
do not know what this means other than I have recently visited your site
within that time frame ( Feb8. -Feb.12) with no "protection". Am
I infected? What are the signs if I'm infected? Does visiting your site
in that time period and your viewing it in IE7 mean you are now infected."
The Blackhole Exploit infection derived from Cryptome has been confirmed
only by the
initial report
to Cryptome from a reader whose Norton security program reported the Blackhole
Exploit program on a particular file.
Since that initial report there have been no reports to Cryptome,
nor elsewhere as far as we know, that a computer has been infected by the
Blackhole Exploit derived from a Cryptome file.
However, based on comments to Cryptome from security experts:
If an HTML file on Cryptome other than the home page (updated frequently)
was accessed during the period, the file most likely contained the Blackhole
Exploit script at the end of the underlying HTML code:
<SCRIPT src="/0002/afg/afg.php"></SCRIPT>
If the file was accessed with Microsoft Internet Explorer versions 6.0, 7.0
or 8.0, the script archived the browser's origin IP address to a sub-directory
for covert retrieval by the attacker and likely used to infect those computers.
If you retained a Cryptome file from that period examine the underlying code
of the file for the script line at the end of the code. (An HTML file can
be opened with a text editor if you do not have an HTML editor.)
If the script line is present in the underlying code your computer may
have been but not yet confirmed infected with the Blackhole Exploit program.
To check on Blackhole Exploit infection:
1. Run a good security protection program on your computer.
2. If the downloaded Cryptome file was retained scan the file with the security
protection program.
3. Open the file in an IE 6, 7 or 8 browser to see if an infection is reported.
If the Blackhole Exploit is reported to be on your computer or in the file
please let us know, with a screenshot of the report if possible:
cryptome[at]earthlink.net
|