Blackhole Exploit Kit is one of the famous Exploit Kit which is being used by Cyber Criminals for infecting innocent users through Drive-by-download. It delivers different exploit including Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications.
Although this approach has generally been very successful for malware authors, it has had one weakness. If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.
To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains ,based on the date and other information, and then creates an iframe pointing to the generated domain.
After de-Obfuscating the javascript in the compromised pages, symantec researchers found a code that pseudo-random domains.
This code uses the setTimeout() DOM function to run a particular piece of code (the anonymous function at the bottom of the code) after half a second. This function calls the following:
The code then creates a hidden iframe, using the previously-generated domain as the source.
Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed.
Running this code in isolation, it seems that the pseudo-random domain is based on a number which is in turn based on an initial seed value, the current month and the day of the current month. When running the code at the time of writing, it returned:
By changing the date passed to the function we can determine domains that will be used in future. All domains up to 7 August of this year have been registered and all currently resolve to the same IP address. The domains, all recently registered, use private registration, such as details of the registrant not published in WHOIS.
Although this approach has generally been very successful for malware authors, it has had one weakness. If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.
To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains ,based on the date and other information, and then creates an iframe pointing to the generated domain.
After de-Obfuscating the javascript in the compromised pages, symantec researchers found a code that pseudo-random domains.
This code uses the setTimeout() DOM function to run a particular piece of code (the anonymous function at the bottom of the code) after half a second. This function calls the following:
- generatePseudoRandomString() function, with a timestamp
- 16, the desired length of the domain name
- ru, the top-level domain name to use
The code then creates a hidden iframe, using the previously-generated domain as the source.
Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed.
Running this code in isolation, it seems that the pseudo-random domain is based on a number which is in turn based on an initial seed value, the current month and the day of the current month. When running the code at the time of writing, it returned:
lfbovcaitd[REMOVED].ru
By changing the date passed to the function we can determine domains that will be used in future. All domains up to 7 August of this year have been registered and all currently resolve to the same IP address. The domains, all recently registered, use private registration, such as details of the registrant not published in WHOIS.