The Blackhole Exploit kit is still a very popular attack on the web. Malwares use this exploit kit to propagate and infect unsuspecting users. Here is a detailed analysis of a fake Intuit page that leads to the exploit kit and the obfuscation technique used by the attack. In this specific targeted attack, we were able to download a Cridex worm, 2 PDF files, and an obfuscated Javascript.
Let's see first what the fake page looks like:
[caption id="attachment_380" align="aligncenter" width="300" caption="Figure 1: Fake Intuit Page"]
[/caption]In the above screenshot, we can immediately notice that it is really fake. You may view the legitimate site of Intuit Quickbooks here. The title on the web browser shows "Intuit" but you will see on the status bar that a hidden connection goes to a different remote site.
Now, Let's see what is in this HTML file...
[caption id="attachment_386" align="aligncenter" width="300" caption="Figure 2: Content of the Fage Page"]
[/caption]I used Malzilla to connect to the site and get its content. You can see that, other than the usual title and header shown earlier, it also contains an obfuscated script.
Now to decode this script...
You will notice that I highlighted some variables in Figure 2. These variables will become a window.eval() function when the script is executed. window.eval() is a javascript function that executes an argument. This function was used to execute the "deobfuscated" code. Malicious scripts commonly use this technique to avoid script debuggers/emulators that hook this function to create a dump of the deobfuscated code.
So now, we need to modify the script so that Malzilla will be able to get the argument of the eval() function...
[caption id="attachment_388" align="aligncenter" width="300" caption="Figure 3: Removing IF conditions"]
[/caption]Figure 3 shows that in this specific sample, we need to remove some IF statements to make sure that the script is executed.
[caption id="attachment_389" align="aligncenter" width="300" caption="Figure 4: Run script and Show Eval() results"]
[/caption]If you take a look again at the highlighted variables in Figure 2, you will see that the variable "e" will become the window.eval() function. Figure 4 shows the modifications that we applied. Run the script and then hit the "Show eval() results" button. At the bottom box of Figure 4, you will see the deobfuscated code. It is a hidden iframe that connects to a remote site.
Let's follow this site, shall we...
Again using Malzilla, you need to repeat the steps in order to analyze this remote site. On the Download tab, paste the URL and then hit the "Get" button.
[caption id="attachment_394" align="aligncenter" width="300" caption="Figure 5: Contents of the remote site."]
[/caption]Figure 5 shows that this site contains two script tags, so we need to use "Send all scripts to Decoder". Again, like the first site, you can see here that it uses the same technique where window.eval has been assigned to a variable "e". Apply the same modification that we did earlier, run the script, and then get the eval result. Figure 5 also shows which part of the script you need to change.
[caption id="attachment_397" align="aligncenter" width="300" caption="Figure 6: Black Hole exploit code."]
[/caption]Figure 6 shows the result. You will now see here the "Please wait page is loading...". This display page is very common on Black Hole exploit codes. Initially, the code is in a single line which makes reading it a little bit hard. You can use a "javascript formatter" to insert newlines and tabs in the script. An example is jsbeautifier.org.
Let's now take a look at the exploit code...
It searches for vulnerable applications installed in the target system. In this sample, it checks for the following:
- Adobe Reader
- Flash Player
[caption id="attachment_413" align="aligncenter" width="300" caption="Figure 7: Check installed applications."]
[/caption]It deploys an MDAC exploit (CVE-2006-0003 - IE6 COM CreateObject Code Execution) to download and execute a malicious file.
- File: Cridex worm
- MD5 hash: c3124a2981d8e1b9e13e8c21c96448f7
- Virustotal Scan Results
[caption id="attachment_418" align="aligncenter" width="300" caption="Figure 8: Deploying MDAC exploit."]
[/caption]It deploys the following PDF exploits:
- CVE-2008-2992 - Adobe Reader util.printf
- File: Pdfjsc exploit
- MD5 hash: 8ad89d5477fe5b074b1767a826207c8a
- Virustotal Scan Results
- CVE-2009-0927 - Adobe Reader Collab GetIcon
- File: Pdfjsc exploit
- MD5 hash: 84fbc15c2d3e460183b853c566bf3ccf
- Virustotal Scan Results
[caption id="attachment_419" align="aligncenter" width="300" caption="Figure 9: Deploying PDF exploits."]
[/caption]It deploys HCP exploit (CVE-2010-1885):
[caption id="attachment_417" align="aligncenter" width="300" caption="Figure 10: Deploying HCP exploit."]
[/caption]The file in the link is an obfuscated script. When the deobfuscated code is saved in a file:
- File: Javascript iframe
- MD5 hash: 1f082ef7e2bc87efa2926a81925e6c46
- Virustotal Scan Results
[caption id="attachment_426" align="aligncenter" width="300" caption="Figure 11: Deobfuscated HCP exploit script"]
[/caption]Finaly, it deploys a flash player exploit (CVE-2011-0611 - Adobe Flash Player Memory Corruption):
[caption id="attachment_414" align="aligncenter" width="300" caption="Figure 12: Deploying Flash exploit."]
[/caption]More Information:
Black Hole exploit kit
Sample source:
malwaredomainlist.com
References:
Imperva
ZScaler ThreatLab
0 comments:
Post a Comment