After went back from martial art class last night, I happened to have some times to dig around with in-the-wild Blackhole Exploit Kit (BHEK) v2.0 exploit page. Unfortunately, I didn't manage to get the exploit samples since the site hosting the BHEK went down right after I deobfuscate the javascript of the exploit page.
With some limited numbers of exploit page sample (since the uptime duration for BHEK exploit page is short, maybe a hit-and-run method), I wrote yara rules to exercise on the patterns and generalization of different samples.
rule Blackhole2_exploit_page
{
meta:
author = "Ahmad Azizan"
ref = "BlackHole 2.0"
description = "BlackHole Exploit Page"
version = "0.1"
impact = 4
hide = false
strings:
$eval1 = /window\[['"](['"]\+['"]){0,1}e(['"]\+['"]){0,1}v(['"]\+['"]){0,1}a(['"]\+['"]){0,1}l(['"]\+['"]){0,1}['"]\]/ nocase
$eval2 = /eval\(.{1,}\);/ nocase
$pattern1 = /getElementsByTagName/ nocase
$pattern2 = /getElementById/ nocase
$pattern3 = /getAttribute/ nocase
$fcc1 = /(String.){0,1}fromCharCode/ nocase
$fcc2 = /fromCha/ nocase
$fcc3 = /rCode/ nocase
$doc = /document\[\w{1,}\]\(['"].{1,}['"]\);/ nocase
$try = /try\s{0,}\{.{1,}\}\s{0,}catch\s{0,}\(.{1,}\)\s{0,}\{/ nocase
$machine1 = /Win/
$machine2 = /Mac/
$machine3 = /Linux/
$machine4 = /FreeBSD/
$machine5 = /iPhone/
$machine6 = /iPod/
$machine7 = /iPad/
$machine8 = /Win\.\*CE/
$machine9 = /Win\.\*Mobile/
$machine10 = /Pocket\\\\s\*PC/
$api1 = /Msxml2.XMLHTTP/
$api2 = /Msxml2.DOMDocument/
$api3 = /Microsoft.XMLDOM/
$api4 = /ShockwaveFlash.ShockwaveFlash/
$api5 = /TDCCtl.TDCCtl/
$api6 = /Shell.UIHelper/
$api7 = /Scripting.Dictionary/
$api8 = /wmplayer.ocx/
$plugin1 = /PluginDetect\.getVersion\(.{1,}\);/ nocase
$type1 = /function\s{0,}x\(s\)\{d\=\[\];for\(\w{1}\=0;\w{1}<s\.length;\w{1}\+\+\)\{k\=\(s\.charCodeAt\(\w{1}\)\-\d{2}\)\.toString\(\d{2}\);if\(k\.length\=\=\d{1}\)k\=\"\d{1}\"\+k;d\.push\(k\);\};return d\.join\(\"\"\);\}/ nocase
$type2_1 = /clsid:8AD9C840-044E-11D1-B3E9-00805F499D93/
$type2_2 = /clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA/
$type2_3 = /clsid:CA8A9780-280D-11CF-A24D-444553540000/
$type2_4 = /clsid:D27CDB6E-AE6D-11CF-96B8-444553540000/
$type2_5 = /clsid:BD96C556-65A3-11D0-983A-00C04FC29E36/
$type2_6 = /%u[0-9a-fA-F]{4}/
condition:
((($eval1 or $eval2) and (($pattern1 or $pattern2) and $pattern3) and ($fcc1 or ($fcc2 and $fcc3)) and ($doc) and ($try)) or
(($eval1 or $eval2) and (($pattern1 or $pattern2) and $pattern3) and ($doc) and ($try)) or
(($eval1 or $eval2) and ($fcc1 or ($fcc2 and $fcc3)) and ($try)) or
(($eval1 or $eval2) and ($doc) and ($try)) or
(($eval1 or $eval2) and ($try))) or
((all of ($machine*)) and
(all of ($api*)) and
($plugin1) and
(($type1) or (all of ($type2_*))))
}And here are the test result:
[azizan@lab69 analysis]# yara -r ../Blackhole_Exploit_Page.yar .
Blackhole2_exploit_page ./speedmudi-obf.orig
Blackhole2_exploit_page ./afternewvision-obf.orig
Blackhole2_exploit_page ./afternewvision-deobf.orig
Blackhole2_exploit_page ./thats_fitted-obf.orig
Blackhole2_exploit_page ./thats_fitted-deobf.orig
Blackhole2_exploit_page ./degree_deleting-obf.orig
Blackhole2_exploit_page ./degree_deleting-deobf.orig
Blackhole2_exploit_page ./mydb-obf.orig
Blackhole2_exploit_page ./mydb-deobf.orig