Symantec: Blackhole Exploit Kit Upgrade Revealed

Tuesday, July 03, 2012



Researchers at security provider Symantec have concluded analysis on the most recent version of the Blackhole Exploit Kit, the most popular exploit pack in the underground market, revealing some sophisticated new features.

The latest incarnation has adapted to take advantage of an unpatched vulnerability in Microsoft XML Core Services (CVE-2012-1889) which Microsoft had discussed in a security bulletin released on June 12th.

"The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website," Microsoft stated.

The infection ploy is known as a drive-by attack, a commonly used method for spreading malware.

"Web attacks and drive-by downloads continue to be one of the primary ways that enterprise and consumer computers are compromised today," Symantec's Nick Johnston writes.

Blackhole injects malicious code into compromised websites, allowing attackers to utilize a variety of exploits that target vulnerabilities in widely used applications like Java and Flash, and infects victims with a drive-by attack when they visit the compromised website.

"When an innocent user browses to a Blackhole-infected site, their browser runs the JavaScript code, which typically creates a hidden iframe, which silently exploits vulnerable browser plug-ins and drops any malware and exploits onto a users system. It typically targets vulnerable Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications. These attacks are often called drive-by downloads," Johnston said.

The problem malware authors face is that if the URL for the injected iframe is changed or removed, it necessitates a manual upgrade to the compromised sites to point to the new URL.

To solve this time consuming problem, the latest version of Blackhole contains JavaScript that has the ability to generate pseudo-random domains, allowing the URLs for the injected iframes to remain valid.

"The Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains, based on the date and other information, and then creates an iframe pointing to the generated domain. The compromised site contains obfuscated JavaScript. This code uses the fromCharCode method of the String object to build up a huge string containing JavaScript code to run. This code uses the setTimeout() DOM function to run a particular piece of code (the anonymous function at the bottom of the code) after half a second... The code then creates a hidden iframe, using the previously-generated domain as the source," Johnston explains.

The researchers analyzed the generated domains, and determined a method for predicting future pseudo-random domains that could be generated by the script.

"Running this code in isolation, it seems that the pseudo-random domain is based on a number which is in turn based on an initial seed value, the current month and the day of the current month. By changing the date passed to the function we can determine domains that will be used in future. All domains up to 7 August of this year have been registered and all currently resolve to the same IP address. The domains, all recently registered, use private registration, such as details of the registrant not published in WHOIS," Johnston continued.

Based on the analysis, the researchers believe the malware authors may still be in a testing period for the new feature, previously utilized by botnets, but until now had not been seen being used in exploit kits.

"So far we have seen a small but steady stream of compromised domains using this technique. This suggests that this is perhaps some kind of trial or test that could be expanded in future. Botnet software has used similar techniques in the past (Storm, most famously), but use of this technique in Web exploit kits is an emerging technique," Johnston said.


Possibly Related Articles:
Viruses & Malware
malware Javascript Vulnerabilities Symantec iFrame Injection Exploits Headlines drive-by attacks Blackhole Exploit
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.