Yesterday, a friend told me that a website we know had be infected by the blackhole exploit kit, and showed me a screen capture of his antivirus disallowing the access to the page. I immediately decided to open a virtual machine, and load the website to have a closer look. The paged didn’t looked suspicious at first for a lambda user, however, a malicious code had been added at the end of the page. I decided to copy the code and analyse it.
Identification
The first thing I did, was to identify the code on the page by copying the code into my virtual machine, and copy it to a file to send it directly to Virustotal.
Virus Total Identification
As you can in Figure 1, the exploit has been detected by some antiviruses and multiple names have been give. If you open the Virustotal link you will see that the name Blackhole.bn is the one that comes the most often, and is thus the right malware.
Analysis :
The first thing to do, for analysing the javascript code of this malware, is to copy it from the infected domain to a simple html file created for the test.
Malicious Code
Figure 2 shows the javascript code, copied from the infected “index.php” file, into a simple text file. As you can see, the code has been written on only one line, and is pretty difficult to read. Javascript like C does not need indentation to run (like Python), the “hackers” have thus tried to obfuscated their code in that manner. The first thing to do is to indent the code. We can easily obtain something like this :
Code Indented
The code is more readable, such as shown in Figure 3, and some of the variables used in the code where also changed, by their actual value. For example I replaced the variable
by it’s actual value, everywhere in the code, allowing me to read code such as
and changing it into
I did the same for multiple other variables, another example is :
|
mafv="d"+"o"+"c"+"ument" [...] (window[mafv].body) |
into
|
mafv="document" [...] (window[document].body) |
These are simple code tweaks, but they allow the reader to understand what is going on, and how the code is actually executed, in the browser. This tweaks lead us to understand that the obfuscated code is decrypted in the function :
|
sryneh+=String["fromCharCode"](nyuihk("0x"+(y[yozsf]))-(55)); |
and that the variable “sryneh” contains the decrypted code executed in the browser. To get the code, decrypted, a simple
will do the trick, we can now, load the “test.html” page we created in our virtual machine and look what pops up in the alert message.
decrypted code
Figure 4 display the alert message containing the obfuscated code, and allows us to understand what is really going on in this exploit. Three functions were found :
- function plq09()
- function setCookie()
- function getCookie()
The first function is the malicious function, redirecting the user to a specific website, such as shown in Figure 4. The second function is used to set a cookie into the user’s browser with a specific value, to know if the code has been executed or not, and the last function is used to get to cookie, previously (or not yet) created, to be sure that the code only executes once.
The first function called “plq09()” is executed in a loop, and redirects the user to a malicious web page containing another malicious code.
Infected Website
The second website, is directly flagged by firefox as malicious. Once the warning ignored, (because, the second malicious code, will only infect a virtual machine) we access a second website containing another exploit, with an url similar to this one :
|
http://ax0ia07chk9fni1inhxq4li.website/index.php?v=dGltZT0xMzA5MTcxODE0MTU2MTkyMTI2MCZzcmM9OTAxJnN1cmw9JnNwb3J0PTgwJmtleT1GQTVEODRCMSZzdXJpPS8= |
A second exploit is now trying to infect our machine, however, this will not be analysed here.
How to remove Blackhole.bn :
Follow these simple steps :
- Run an antivirus on your computer (yes, even if you are a mac user).
- Connect to your FTP server
- Download the different folder
- Copy the folder into a second location (backup)
- Run the antivirus on the first folder (in case, the antivirus deletes the pages, without asking)
- Identify the pages affected by the code
- Open theses pages in a text editor and remove the malicious code.
- Update your website, to it’s last version if you are using wordpress, joomla or any other publishing plateform.
- Change all your passwords FTP, Database, Mail, (you do not know what has been compromised)
- Update everything back on the server.
Conclusion :
Well, the blackhole exploit kit, allows the attacker to know informations about you, such as your browser, and to install malicious applications on your computer, and as you have seen the exploitation of your computers follow simples steps.
Steps followed by Blackhole.bn
If you have been infected, it is important to remove the malicious code from your webpage, as explained before, and scan your computer for a malicious code that might have been installed via the last payload. If you discover the code on a website, well, you can contact the owner to let him know the steps to follow, and avoid his website to be blacklisted.
Edit :
08/10/13 : Well, the author of the blackhole exploit kit has just been arrested, read about the arrest here.
For more information on the blackhole exploit kit you can also read this document released by trendmicro.
Tagged analysis, blackhole exploit kit, blackhole.bn, desinfection, reverse engineering