Blog for hpHosts, and whatever else I feel like writing about ....

Monday 5 December 2011

Blackhole exploit: For those wondering

For those wondering and not yet aware. The latest incarnations coming via e-mail have changed MO - the link to the exploit itself, isn't directly in the e-mail anymore. Instead, it goes via;

1. Site A
2. 4 x MITMs
5. Exploit site

In this case;

cadcamengineers.com/6ebc21/index.html
-> napaul.com/statcounters.js
-> proplastics.rs/statcounters.js
-> rodns.eu/statcounters.js
-> sashandbow.com.au/statcounters.js
--> twistloft.com/main.php?page=111d937ec38dd17e


cadcamengineers.com
    -> 75.125.218.230 - Resolution failed
    -> AS21844 75.125.0.0/16 THEPLANET-AS - ThePlanet.com Internet Services, Inc.
twistloft.com
    -> 65.254.63.228 - Resolution failed
    -> AS3595 65.254.48.0/20 GNAXNET-AS - Global Net Access, LLC
napaul.com
    -> 202.191.61.93 - hubble.websiteactive.com
    -> AS24446 202.191.60.0/22 NETREGISTRY-AS-AP NetRegsitry Pty Ltd.
proplastics.rs
    -> 217.26.70.100 - bender.verat.net
    -> AS15982 217.26.64.0/20 VERAT-AS-1 Drustvo za telekomunikacije Verat d.o.o, Bulevar Vojvode Misica 37
rodns.eu
    -> 85.9.19.61 - 61.19.9.85.clausweb.ro
    -> AS5606 85.9.0.0/18 KQRO GTS Telecom SRL
sashandbow.com.au
    -> 70.87.76.162 - vanquish.websitewelcome.com
    -> AS21844 70.84.0.0/14 THEPLANET-AS - ThePlanet.com Internet Services, Inc.


Presumably, this is an effort at redundancy, to ensure it still delivers when one of the MITMs is down.

Annoyingly, the initial script on main.php is still easy to decode, comment out the following;

bb=window['document']['getElement'+s]("html");
bb=(bb[0]+'')['substr'](2,4);
aa=bb;

if((aa==='bjec')||(aa==='ject')){

e=window['eval'];
if((aa==='bjec')||(aa==='ject'))


Change;

e(c);


To;

eval(c);


Pop it into Malzilla, and voila - it decodes itself, saving us a world of time.

Given we already know what the Blackhole exploit itself already does, you'll likely want to skip straight to the payload URL itself, in which case, locate the first line containing;

?f=


Then simply combine the number in the f var, with;

{SITE}/w.php?f=


In this case, f was 59, so the URL was;

twistloft.com/w.php?f=59


Which produced this lovely little beast (no surprises as to what it is of course);

http://www.virustotal.com/file-scan/report.html?id=f925960e9e1855dd8bdcf01d221b0c9d5c4da400f7eca946bd0818b26989c7a4-1323083117

Malwarebytes users will be pleased to know, the 180KB of badness is detected as Trojan.FakeCC.

The e-mail itself originated from 46.55.191.45 ( AS34841 BALCHIKNET Lafy EOOD - AS51582 DCC-BG Cifrova Kabelna Korporacia EOOD).

inetnum: 46.55.128.0 - 46.55.191.255
netname: DCC-BG-PLD
descr: DCC Plovdiv
country: BG
admin-c: JH6135-RIPE
tech-c: JH6135-RIPE
status: ASSIGNED PA
mnt-by: IPACCT-MNT
source: RIPE # Filtered

person: Jivko Hristev
address: 12 Bulair, str., 4230 Asenovgrad
mnt-by: IPACCT-MNT
phone: +359 894 373034
nic-hdl: JH6135-RIPE
source: RIPE # Filtered

route: 46.55.128.0/17
descr: DCC
origin: AS51582
mnt-by: IPACCT-MNT
source: RIPE # Filtered


The e-mail;

No comments: