BlackHole v2.0 exploit kit - How to detect on a Windows PC?

I'm security aware, but a bit lazy. Lets just keep it at that: not all my software like Windows is up to date, because my disk space (my small SSD) is always full. That is my main security risk.

Part I

Now I visited a websites which was safe (I visited it a while ago already). Here is a story about it: The links I post here are safe, but one of the links in these news articles is not (anymore). So please DON'T CLICK on any links leading to the "wall-ye" robot homepage in these news articles.

http://spectrum.ieee.org/automaton/robotics/industrial-robots/wallye-robot-
http://www.nbcnews.com/technology/futureoftech/wall-ye-robot-does-grunt-work-vineyards-6150501
http://gizmodo.com/5946841/this-little-robot-will-help-make-the-wine-you-swill

These news articles are about a cool innovation, a robot capable of pruning vines. Well I had this in my bookmarks and just visited the homepage of the robot again. BAM!

The Chrome Browser (I was not running the official Google Chrome browser, but an old version of SRWare Iron) showed me that the Java plugin just crashed while opening the website. Yes the lovely exploit-heaven Java. That was very suspicous, because the entire homepage looked totally broken now compared to the last time I visited it some weeks ago.

So I tried to find out if this website I visited that crashed my plugin contains malware. I found a good overview with links to tools here:

http://scanurl.net/?u=scanurl.net#about

Here are the first results I got while scanning that URL. First up, my learning: I can only recommend tools that offer a real-time scan of a URL. All the "Lookup websites" like AVG LinkScanner and McAfee SiteAdvisor showed no risk! Even VirusTotal found nothing the first time I tested the URL.

Only the real-time scans found the malware, like Comodo and urlQuery and Zscaler. The most detailed analysis was offered by urlQuery.

- VirusTotal - 0 results = safe
https://www.virustotal.com/#url

- AVG LinkScanner - results = safe
https://www.avg.com.au/resources/web-page-scanner/

- F-Secure Browsing Protection - results = safe
http://browsingprotection.f-secure.com

- DrWeb online check - results = clean
http://online.us.drweb.com/?url=1

- BrightCloud by webroot - results = Trustworthy
www.brightcloud.com/support/lookup.php

- Browser Defender by PC Tools - results = safe
http://www.browserdefender.com

- NoVirusThanks URLvoid - results = clean
http://vscan.novirusthanks.org

- Quttera Web Investigation System - results = suspicious
http://quttera.com/

- Comodo Site Inspector - result = high risk page [1]
http://siteinspector.comodo.com

- SecureBrain, Check with Gred - result = Warning! Danger! This site is not safe.
http://check.gred.jp/

- Zscaler Zulu URL Risk Analyzer - result = 100/100 malicious [2]
http://zulu.zscaler.com

- urlQuery - result = Malicious [3]

- Sucuri SiteCheck - result = Site infected with malware [4]

So there I had it. My fears that the crash of my Java browser plugin was caused by malware was very real. Not any malware, according to urlQuery it is BlackHole v2.0 on this website where high profile news websites link to.

Part II

My problem. My anti-virus did not detect anything at all. I'm running Microsoft Security Essentials, plus PrevX. So I started with on-demand scans with a lot of different AV tools. Off course I updated every tool before scanning with them on my PC and I used the full scan option for each scanner:

1. Microsoft Security Essentials - 0 found

2. Malwarebytes Anti-Malware (MBAM) - 0 found

3. Hitman Pro - 0 found

4. PrevX - 0 found

None of my scanners found anything on my PC. So I searched for more AV on-demand tools. Here is a good list of AV on-demand tools here on wilderssecurity (https://www.wilderssecurity.com/showthread.php?t=335536).

5. Panda ActiveScan - 0 found

6. Avira DE-Cleaner - 3 found (and deleted)
in \AppData\LocalLow\Sun\Java\Deployment\cache\

7. Emsisoft Emergency Kit (EEK) - 1 found (and deleted)
in \AppData\LocalLow\Sun\Java\Deployment\cache\

Now I'm going to scan my PC with more on-demand tools, like ESET Online Scanner, F-Secure Easy Clean, Sophos Virus Removal Tool, Comodo Cloud Scanner and more. Is there anything you can especially recommend to me to detect malware that could have been brought by the BlackHole v2.0 exploit kit to my PC?


------------ Sources: Reports about the malicious website
[1] Comodo results are here:
http://siteinspector.comodo.com/public/reports/show_log?id=7874972&type=malicious
[2] Zscaler Zulu results are here:
http://zulu.zscaler.com/submission/show/0a39cf9e8e76d49ee0c52b4a22c9a52a-1355526614
[3] urlQuery results are here:
http://urlquery.net/report.php?id=411311
[4] Sucuri SiteCheck results are here:
http://labs.sucuri.net/db/malware/malware-entry-mwblk2
http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v48

 

An antivirus live CD, such as Avira Rescue System, might detect stuff that an AV on the host operating system doesn't (if there's a rootkit involved).

However, reinstalling and restoring from backups is probably a good idea, even if you can't prove that the OS is infected. Current rootkits are hard to remove.

For future reference, it would probably be a good idea to enable click-to-play for plugins in any browser that you use. Plugins are the most frequent source of drive-by exploits these days, IIRC, and having them run automatically is dangerous.

 

Thanks for your answer Gullible Jones. I'm going to use that Avira Rescue System.

Here is another analysis of that website by Anubis (http://anubis.iseclab.org). You can see what it does to an system using an Internet Explorer:

Anubis logs:

http://anubis.iseclab.org/?action=result&task_id=1a89977b6cc1eb744f50c6d8e4d4a6e1c

http://anubis.iseclab.org/?action=result&task_id=1a89977b6cc1eb744f50c6d8e4d4a6e1c&format=txt

http://anubis.iseclab.org/?action=result&task_id=1a89977b6cc1eb744f50c6d8e4d4a6e1c&format=html

 

The above was intended more as a suggestion than an answer. Also, if you know what to make of those Anubis logs, then you know Windows better than I do.

 

I would also try the following two Antivirus Rescue CD's:

1. Kaspersky Rescue Disk 10
2. Dr.Web LiveCD

Both of these has a 'clear' option for checking the MBR's for Rootkits.

 

@Gullible Jones

Actually I don't know what to make of those Anubis logs, that is why I posted them I understood that this malware can change the registry and that it can launch a autoexec.bat. I searched my registry for this value "4294967295" which was set multiple times by this malware in the Anubis logs, but I didn't have it this value in my registry, luckily.

So far I think didn't catch this malware. The exploits were in the cache of Java and may have been old. I just found them now, while using new on-demand scanners I never used before on my PC (the Avira DE-Cleaner tool and the Emsisoft Emergency Kit)

Today I scanned with more on-demand scanners and didn't have any more new results. Since the last time I wrote here (where I used Malwarebytes Anti-Malware, Hitman Pro, Panda ActiveScan, Avira DE-Cleaner, Emsisoft Emergency Kit) I have now tested with:

8. Dr.Web CureIt! - 0 found

9. Kaspersky Virus Removal Tool - 0 found

10. F-Secure Easy Clean - 0 found

11. ESET Online Scanner - 0 found

12. Bitdefender QuickScan - 0 found

13. Comodo Cloud Scanner - 0 found

I'm currenty running as on-demand scanner the Sophos Virus Removal Tool and next up are: Norton Power Eraser, Trend Micro HouseCall, and I'm going to use more sophisticated tools (thanks for your suggestions!):

Avira Rescue System, Kaspersky Rescue Disk 10, Dr.Web LiveCD