Blackhole Exploit Kit Research

To be perfectly frank, we haven’t spent much time with exploit kits since they seem to be the stomping grounds of virtually every security vendor with a research arm these days. That said, we thought it would be fun. Thus, we took a look at one of the up-and-comers in the exploit kit market, the Blackhole Exploit Kit. ¬†Currently the Blackhole Exploit Kit accounts for 7.7% of the domains listed in the Malware Domain list housed at the aptly named http://malwaredomainlist.com. Which of course means that the Blackhole Exploit Kit is not on the level of Zeus or SpyEye yet, but is certainly a player in the game.

In order to take a look at Blackhole we identified an active site via testing out different blacklists (lots of false positives on those lists) and began to observe. The first thing that we noted was that the site utilized some pretty distinct obfuscation, and that the obfuscation changed roughly every 24 hours. When the code was deobfuscated it was clear that we were dealing with an exploit against a java vulnerability. Unfortunately within 24 hours we saw that attack change to target an MDAC vulnerability from 2006, specifically CVE-2006-0003. More over the obfuscation technique was good enough that it bypassed all the AV and IPS engines we tested it against. One of the less sophisticated obfuscation techniques can be seen below but first let’s take a look at the obfuscated string (which is ugly).

Figure 1: Obfuscated Code


Figure 2: Deobfuscation Script

How This Works
1. The deobfuscation is setup as a function called “g” which is obvious
2. The variable md is set to equal “a”
3. The variable d (which is the obfuscated code) is split by the letter “v”
4. The variable “s” is initialized
5. Next a loop to further deobfuscate the string contained in “d” is set up.
6. Next “q” is set to be d.length minus the position number of the variable being deobfuscated minus 1 mod 2 plus 1.
7. The variable c is set to the character in the string d at position i multiplied by q.
8. The variable f is set to set to the first part of FromCharCode
9. S is set to equal FromCharCode(c)

There a few ways to reverse this code and deobfuscate the malicious string. The easiest is simply to add in a window.alert() instead of the string that actually executes the malicious code. This method however can be dangerous as a mistake may cause one to accidentally execute the malicious code. In addition, this method is pretty old and attackers sometimes purposefully make this difficult. In other words, it doesn’t always work. Another method would be to use Malzilla, a software utility that essentially separates code from the Document Object Model (DOM) from the actually browser within Malzilla. Thus, the execution of the Javascript code will only be limited to printing the deobfuscated code. We have our reservations about this of course, but it works well in a lot of cases. Unfortunately, this piece of code is fairly resistant as the eval() function call is actually obfuscated as well. Another method is to use jsunpack to deobfuscate the code (personal favorite but does not always show the nitty gritty of how this is accomplished).

Regardless, the deobfuscated code looks like the below:
One will note the 0c0d which is used in the heap spray as a NOP Sled for the shellcode which follows the NOP sled. The shellcode, which can be seen below is known as

As was mentioned, the exploit on this site changes roughly every 24 hours. At first it was merely changing the obfuscation technique, however, after further observation the actual exploit began targeting different vulnerabilities. Specifically, MDAC via CVE-2006-0003.

Snort Signatures Triggered
This particular piece of code will trigger two Snort signatures, namely:
1. Possible Request for Blackhole Exploit Kit Landing Page – src.php?case=
2. Current_Events Driveby Blackhole – Landing Page Received – Applet and Flowbit

1 Comment

Leave a comment