Blackhole Exploit Kit Gets an Upgrade: Pseudo-random Domains

The Blackhole exploit kit has been extensively covered by Symantec for some time. As a brief reminder, like other exploit kits such as Phoenix, people using Blackhole compromise a legitimate site, inserting malicious and highly obfuscated JavaScript code into the site's main page. To evade detection and avoid attracting suspicion, the rest of the page (and indeed site) is left untouched.

When an innocent user browses to a Blackhole-infected site, their browser runs the JavaScript code, which typically creates a hidden iframe, which silently exploits vulnerable browser plug-ins and drops any malware and exploits onto a users system. It typically targets vulnerable Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications. These attacks are often called drive-by downloads.

Although this approach has generally been very successful for malware authors, it has had one weakness. If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.

To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains ,based on the date and other information, and then creates an iframe pointing to the generated domain.

The compromised site contains obfuscated JavaScript:
 


 

This code uses the fromCharCode method of the String object to build up a huge string containing JavaScript code to run. This is part of the code that is actually being run:
 


 

This code uses the setTimeout() DOM function to run a particular piece of code (the anonymous function at the bottom of the code) after half a second. This function calls the following:

  • generatePseudoRandomString() function, with a timestamp
  • 16, the desired length of the domain name
  • ru, the top-level domain name to use

The code then creates a hidden iframe, using the previously-generated domain as the source.

Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed.

Running this code in isolation, it seems that the pseudo-random domain is based on a number which is in turn based on an initial seed value, the current month and the day of the current month. When running the code at the time of writing, it returned:

lfbovcaitd[REMOVED].ru

By changing the date passed to the function we can determine domains that will be used in future. All domains up to 7 August of this year have been registered and all currently resolve to the same IP address. The domains, all recently registered, use private registration, such as details of the registrant not published in WHOIS.

So far we have seen a small but steady stream of compromised domains using this technique. This suggests that this is perhaps some kind of trial or test that could be expanded in future.

Botnet software has used similar techniques in the past (Storm, most famously), but use of this technique in Web exploit kits is an emerging technique.

Web attacks and drive-by downloads continue to be one of the primary ways that enterprise and consumer computers are compromised today. All Norton customers and Symantec Endpoint Protection customers that use our Network-Based Protection technology are proactively protected from Blackhole Web attack toolkits serving up drive-by downloads. The Network Threat Protection technology stops these attacks before they ever get to the end computer. Customers relying on antivirus-only technology may be at risk due to the polymorphic nature of the malware generated by Web attack toolkits like Blackhole. If you do not use Symantec products and are concerned that your computer might have been compromised after visiting a site you can download Symantec's free Power Eraser tool.