Exploring the recent exploit trends, I found the KaiXin Exploit Kit. Originally found by Kahu Security, the attacked site was also reported on CleanMX. Further research shows that the attack site has been logged on Wepawet and JSunpack. Lets download all the Base Zero (Raw) files and send them to VirusTotal.

KaiXin VirusTotal Results

Now lets set up our files. Keep them organized. :)
Setting Up

Lets start with the ‘Not Detected‘ side. swfObject.js is legit.

swfObject.js

deployJava.js aka jpg.js is a little trickier. However, I found a similar file on Google Code.

deployJava.js aka jpg.js

The third party appears to track the user via placing a hidden iframe in the html. Valid but ugly (and not standard, as iframes are deprecated in HTML5).

51Yes Tracking

Now lets look in the malicious stuff! >:)

index.html Original

The index.html contains a hidden iframe to ad.html. Lets have a look.

ad.html Original

Not that readable, so lets beautify it!

ad.html JavaScript Beautified

Hmm.. At first sight unescape. Looks easy enough.

ad.html JavaScript Unescape Deobfuscated

Well looky here! We have 2 long strings, a ‘document’, and ‘write’. We can only guess that there will be a document.write later in the script.

ad.html JavaScript Deobfuscated document.write

So its going to write Dz to the document. Makes our day easy. All we have to do is replicate the situation replacing the document.write with alert :)

ad.html JavaScript Deobfuscated Script

So it defines a cookie as the useragent, then checks if the useragent is valid, not a bot/spider, etc. It also checks if its own cookie has been set before, which ensures that the user is exploited only once and cannot replicate it. It then checks for specific Java versions (using javaDeploy) and uses different class files for the 0.exe based on the results. Comodo analysis of 0.exe Variant 1. AntiVirus Lab analysis of 0.exe Variant 2.

ad.html JavaScript Deobfuscated Java Exploit

It then uses swfObject to get the version of flash and checks the version of internet explorer. 2 different iframes are written, based on the Internet Explorer version.

ad.html JavaScript Deobfuscated Flash Exploit

Anyways, before we go any further, lets send the deobfuscated results to VirusTotal. 1/42..

So lets analyze the flash html files.

cLpl7.html Original

Again we’ll beautify it.

cLpl7.html Beautified

Looks like this Exploit Kit uses the same algorithm. This time we have two Dzs in their own separate script tags. Again we’ll alert the Dz returns. For safety purposes, remember to disable the object tag. You can do so by putting comment tags around it. The return was so big that I couldn’t read it on the alert window! Had to copy-paste before getting a glimpse of the code. Have a look at the core of cLpl7:
cLpl7.html Deobfuscated First

And the second one:

cLpl7.html Deobfuscated Second

So we have some shellcode and a buffer overflow to make it run. Now lets look at the final gADSr.html:

gADSr.html Original

You know the drill ;)

gADSr.html Beautified

Dz returns this:

gADSr.html JavaScript Deobfuscated

Later in the script it loads a obfuscated .swf file.

Conclusion:

The phrase ‘document.write() can be a form of eval’ is no joke.

Despite being 5 days old in the wild, only ClamAV detects the deobfuscated return of the main ad.html file.

Stay safe,
~!Donovan