Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 5 December 2011

Blackhole exploit: For those wondering

For those wondering and not yet aware. The latest incarnations coming via e-mail have changed MO - the link to the exploit itself, isn't directly in the e-mail anymore. Instead, it goes via;

1. Site A
2. 4 x MITMs
5. Exploit site

In this case;
    -> - Resolution failed
    -> AS21844 THEPLANET-AS - Internet Services, Inc.
    -> - Resolution failed
    -> AS3595 GNAXNET-AS - Global Net Access, LLC
    -> -
    -> AS24446 NETREGISTRY-AS-AP NetRegsitry Pty Ltd.
    -> -
    -> AS15982 VERAT-AS-1 Drustvo za telekomunikacije Verat d.o.o, Bulevar Vojvode Misica 37
    -> -
    -> AS5606 KQRO GTS Telecom SRL
    -> -
    -> AS21844 THEPLANET-AS - Internet Services, Inc.

Presumably, this is an effort at redundancy, to ensure it still delivers when one of the MITMs is down.

Annoyingly, the initial script on main.php is still easy to decode, comment out the following;








Pop it into Malzilla, and voila - it decodes itself, saving us a world of time.

Given we already know what the Blackhole exploit itself already does, you'll likely want to skip straight to the payload URL itself, in which case, locate the first line containing;


Then simply combine the number in the f var, with;


In this case, f was 59, so the URL was;

Which produced this lovely little beast (no surprises as to what it is of course);

Malwarebytes users will be pleased to know, the 180KB of badness is detected as Trojan.FakeCC.

The e-mail itself originated from ( AS34841 BALCHIKNET Lafy EOOD - AS51582 DCC-BG Cifrova Kabelna Korporacia EOOD).

inetnum: -
netname: DCC-BG-PLD
descr: DCC Plovdiv
country: BG
admin-c: JH6135-RIPE
tech-c: JH6135-RIPE
mnt-by: IPACCT-MNT
source: RIPE # Filtered

person: Jivko Hristev
address: 12 Bulair, str., 4230 Asenovgrad
mnt-by: IPACCT-MNT
phone: +359 894 373034
nic-hdl: JH6135-RIPE
source: RIPE # Filtered

descr: DCC
origin: AS51582
mnt-by: IPACCT-MNT
source: RIPE # Filtered

The e-mail;

No comments: