Pages

Sep 27, 2012

An Evening with Blackhole Exploit Kit v2.0


After went back from martial art class last night, I happened to have some times to dig around with in-the-wild Blackhole Exploit Kit (BHEK) v2.0 exploit page. Unfortunately, I didn't manage to get the exploit samples since the site hosting the BHEK went down right after I deobfuscate the javascript of the exploit page.

With some limited numbers of exploit page sample (since the uptime duration for BHEK exploit page is short, maybe a hit-and-run method), I wrote yara rules to exercise on the patterns and generalization of different samples.

rule Blackhole2_exploit_page
{
        meta:
                author = "Ahmad Azizan"
                ref = "BlackHole 2.0"
                description = "BlackHole Exploit Page"
                version = "0.1"
                impact = 4
                hide = false

        strings:
                $eval1 = /window\[['"](['"]\+['"]){0,1}e(['"]\+['"]){0,1}v(['"]\+['"]){0,1}a(['"]\+['"]){0,1}l(['"]\+['"]){0,1}['"]\]/ nocase
                $eval2 = /eval\(.{1,}\);/ nocase

                $pattern1 = /getElementsByTagName/ nocase
                $pattern2 = /getElementById/ nocase
                $pattern3 = /getAttribute/ nocase

                $fcc1 = /(String.){0,1}fromCharCode/ nocase
                $fcc2 = /fromCha/ nocase
                $fcc3 = /rCode/ nocase

                $doc = /document\[\w{1,}\]\(['"].{1,}['"]\);/ nocase

                $try = /try\s{0,}\{.{1,}\}\s{0,}catch\s{0,}\(.{1,}\)\s{0,}\{/ nocase

                $machine1 = /Win/
                $machine2 = /Mac/
                $machine3 = /Linux/
                $machine4 = /FreeBSD/
                $machine5 = /iPhone/
                $machine6 = /iPod/
                $machine7 = /iPad/
                $machine8 = /Win\.\*CE/
                $machine9 = /Win\.\*Mobile/
                $machine10 = /Pocket\\\\s\*PC/

                $api1 = /Msxml2.XMLHTTP/
                $api2 = /Msxml2.DOMDocument/
                $api3 = /Microsoft.XMLDOM/
                $api4 = /ShockwaveFlash.ShockwaveFlash/
                $api5 = /TDCCtl.TDCCtl/
                $api6 = /Shell.UIHelper/
                $api7 = /Scripting.Dictionary/
                $api8 = /wmplayer.ocx/

                $plugin1 = /PluginDetect\.getVersion\(.{1,}\);/ nocase

                $type1 = /function\s{0,}x\(s\)\{d\=\[\];for\(\w{1}\=0;\w{1}<s\.length;\w{1}\+\+\)\{k\=\(s\.charCodeAt\(\w{1}\)\-\d{2}\)\.toString\(\d{2}\);if\(k\.length\=\=\d{1}\)k\=\"\d{1}\"\+k;d\.push\(k\);\};return d\.join\(\"\"\);\}/ nocase

                $type2_1 = /clsid:8AD9C840-044E-11D1-B3E9-00805F499D93/
                $type2_2 = /clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA/
                $type2_3 = /clsid:CA8A9780-280D-11CF-A24D-444553540000/
                $type2_4 = /clsid:D27CDB6E-AE6D-11CF-96B8-444553540000/
                $type2_5 = /clsid:BD96C556-65A3-11D0-983A-00C04FC29E36/
                $type2_6 = /%u[0-9a-fA-F]{4}/

        condition:

                ((($eval1 or $eval2) and (($pattern1 or $pattern2) and $pattern3) and ($fcc1 or ($fcc2 and $fcc3)) and ($doc) and ($try)) or
                (($eval1 or $eval2) and (($pattern1 or $pattern2) and $pattern3) and ($doc) and ($try)) or
                (($eval1 or $eval2) and ($fcc1 or ($fcc2 and $fcc3)) and ($try)) or
                (($eval1 or $eval2) and ($doc) and ($try)) or
                (($eval1 or $eval2) and ($try))) or
                ((all of ($machine*)) and
                (all of ($api*)) and
                ($plugin1) and
                (($type1) or (all of ($type2_*))))
}

And here are the test result:

[azizan@lab69 analysis]# yara -r ../Blackhole_Exploit_Page.yar .
Blackhole2_exploit_page ./speedmudi-obf.orig
Blackhole2_exploit_page ./afternewvision-obf.orig
Blackhole2_exploit_page ./afternewvision-deobf.orig
Blackhole2_exploit_page ./thats_fitted-obf.orig
Blackhole2_exploit_page ./thats_fitted-deobf.orig
Blackhole2_exploit_page ./degree_deleting-obf.orig
Blackhole2_exploit_page ./degree_deleting-deobf.orig
Blackhole2_exploit_page ./mydb-obf.orig
Blackhole2_exploit_page ./mydb-deobf.orig