Analysis Of A Blackhole Exploit Page

February 20, 2012 - 2 Min. de leitura

Conteúdo

Article
Mais blogs

The Blackhole Exploit kit is still a very popular attack on the web. They are many variants of the threat. Here is a detailed analysis of one Exploit kit page and the obfuscation technique leveraged by the attack.

In this example, the exploit is heavily obfuscated. The exploit has been encoded and stored as HTML and JavaScript is used to decode the payload and run it.

Blackhole Exploit encoded ans stored in HTML

JavaScript decoding loop

To decode the exploit, I used Malzilla, a popular JavaScript deobfuscation tool. Malzilla cannot manipulate the DOM like a real web browser, so I needed to copy and past the HTML-encoded data into a JavaScript variable. I then changed the JavaScript loop slightly, to extract the data from the variable instead of the HTML. Instead of doing an eval() of the code, I replaced the last line with document.write(c) to output the result.

The code below was delivered by Malzilla following the aforementioned adjustments (I've cut out the encoding data):

Modified code to run in Malzilla

I can now execute the script. The obfuscation requires many passes to fully decode the data andit takes quite a while to complete.

Script executed by Malzilla

Now, let's examine the output from Malzilla. The first part addresses a "Please wait page is loading..." message, very typical of the Blackhole Exploit kit so that the victim remains patient while the exploit code executes.

Then, the JavaScript figures out which browser is visiting the page, what plugins are installed and with which version. This is subsequently to decide which exploit payloads to deliver.

Browser fingerprinting

Depending on what browser information was obtained, different exploits can be delivered. It could for example be a malicious Java applet:

Launch a malicious Java applet

... or a remote code execution targeting a known Internet Explorer vulnerability:

MDAC exploit for Internet Explorer

.. or a malicious PDF file:

Malicious external PDF file

... or a malicious Flash file:

Malicious Flash file

Separating the exploit into an encoded payload and a decoding loop made it easier for the exploit kit creators to create an infinite array of different pages in order to evade detection. The Exploit kit is also more sophisticated than many other exploits as it is able to use the right exploit for each visitor.

Obrigado por ler

Esta postagem foi útil?？

Sim, muito útil!

Na verdade, não

Aviso legal: este post no blog foi criado pela Zscaler apenas para fins informativos e é fornecido "no estado em que se encontra", sem quaisquer garantias de exatidão, integridade ou confiabilidade. A Zscaler não se responsabiliza por quaisquer erros, omissões ou por quaisquer ações tomadas com base nas informações fornecidas. Quaisquer sites ou recursos de terceiros vinculados neste post são fornecidos apenas para sua conveniência, e a Zscaler não se responsabiliza por seu conteúdo ou práticas. Todo o conteúdo está sujeito a alterações sem aviso prévio. Ao acessar este blog, você concorda com estes termos e reconhece que é de sua exclusiva responsabilidade verificar e utilizar as informações conforme apropriado para suas necessidades.