To be perfectly frank, we haven’t spent much time with exploit kits since they seem to be the stomping grounds of virtually every security vendor with a research arm these days. That said, we thought it would be fun. Thus, we took a look at one of the up-and-comers in the exploit kit market, the Blackhole Exploit Kit. Currently the Blackhole Exploit Kit accounts for 7.7% of the domains listed in the Malware Domain list housed at the aptly named http://malwaredomainlist.com. Which of course means that the Blackhole Exploit Kit is not on the level of Zeus or SpyEye yet, but is certainly a player in the game.
In order to take a look at Blackhole we identified an active site via testing out different blacklists (lots of false positives on those lists) and began to observe. The first thing that we noted was that the site utilized some pretty distinct obfuscation, and that the obfuscation changed roughly every 24 hours. When the code was deobfuscated it was clear that we were dealing with an exploit against a java vulnerability. Unfortunately within 24 hours we saw that attack change to target an MDAC vulnerability from 2006, specifically CVE-2006-0003. More over the obfuscation technique was good enough that it bypassed all the AV and IPS engines we tested it against. One of the less sophisticated obfuscation techniques can be seen below but first let’s take a look at the obfuscated string (which is ugly).
Figure 1: Obfuscated Code
Figure 2: Deobfuscation Script
How This Works
1. The deobfuscation is setup as a function called “g” which is obvious
2. The variable md is set to equal “a”
3. The variable d (which is the obfuscated code) is split by the letter “v”
4. The variable “s” is initialized
5. Next a loop to further deobfuscate the string contained in “d” is set up.
6. Next “q” is set to be d.length minus the position number of the variable being deobfuscated minus 1 mod 2 plus 1.
7. The variable c is set to the character in the string d at position i multiplied by q.
8. The variable f is set to set to the first part of FromCharCode
9. S is set to equal FromCharCode(c)
Regardless, the deobfuscated code looks like the below:
One will note the 0c0d which is used in the heap spray as a NOP Sled for the shellcode which follows the NOP sled. The shellcode, which can be seen below is known as
As was mentioned, the exploit on this site changes roughly every 24 hours. At first it was merely changing the obfuscation technique, however, after further observation the actual exploit began targeting different vulnerabilities. Specifically, MDAC via CVE-2006-0003.
Snort Signatures Triggered
This particular piece of code will trigger two Snort signatures, namely:
1. Possible Request for Blackhole Exploit Kit Landing Page – src.php?case=
2. Current_Events Driveby Blackhole – Landing Page Received – Applet and Flowbit