Saturday, August 6, 2011

Blackhole exploit kit continues it’s dominance

Today, I was investigating a block that had been triggered on a webpage due to detection of the Blackhole exploit kit. We previously posted a blog about the rise in Blackhole exploit kit detections back in February, 2011. That blog post continues to receive comments from readers who have identified similar attacks and I regularly receive email from readers requesting analysis on Blackhole exploit kit samples. The Blackhole exploit kit is often behind the injection of malicious Iframes in legitimate websites.

Interestingly, attackers are not only using heavy obfuscation but they also hide the obfuscated Iframes inside HTML body tags. Here is the source of the infected website page which I analyzed this morning:

The heavily obfuscated code has been injected in the HTML body tag. You need to format the code and do some manual analysis to find the malicious URL. In order to do so, you can follow the trick mentioned in my earlier blog for de-obfuscating the malicious content. The formatted code looks like:

Basically, the above malicious code creates two Iframes pointing to two different malicious websites serving Blackhole exploit kit code. To decode, insert an “alert()” function as described in an earlier blog where it concatenates the various strings. You can then see the malicious URL’s, such as:

The URL syntax “/index.php?tp=” suggests that the links are related to Blackhole exploit kit. Once visited, the malicious websites return heavily obfuscated exploit code which exploits different vulnerabilities and downloads malicious binaries. Here is what the exploit code looks like:

The above code exploits various older vulnerabilities. Due to the obfuscation used in both the Iframe and exploit, overall AV detection remains very poor. Here is the VirusTotal result for the exploit code. This example shows that the Blackhole exploit kit continues to evolve with different tricks and obfuscation techniques.

Definitely Badhole!!!

Umesh

2 comments:

Anonymous said...

strange how the exploit page has such low detection rate, the code is pretty characteristic and consistent in all the exploit pages, the format is always the same: huge div block, and the loop to decode that. maybe they rely on some runtime detection of the exploits, that always get served this the same names "games/getJavaInfo.jar" and "new.avi"

Anonymous said...

Virus total shows a low detection rate because it is a very poor way to evaluate detection of a modern antivirus system.

The good systems will detect this attack on the wire. Virustotal is filescan only.

If this JavaScript touches the disk in the real world, you might be in trouble.

Mentioning Virustotal results in this article is very amateur IMO.