MalwareMustDie – BH EK version 2

Blackhole Exploit Version 2 has been released(For more in-depth details about its functionality visit this link) and for past few days we have been observing its deployment i.e. websites serving this BHEK v2 exploits.

Over this weekend, @malwaremustdie analyzed the infected website and reversed the routine which was used to deliver the payload i.e the shellcode and the dropper. His analysis can be read here, it is worth reading cause it gives you better insights into how analysis is to be done.

As usual, the urls provided by @malwaremustdie, were processed through the Static URL Analyzer and here are the results:

*NOTE – at the time of writing the blog the link was active, hence – exercise caution*

Checking : h00p://
 ML1=3 #Mal
 ML1A=1 #Mal
 ApInv=1 #Mal
 Analysis Time=0.110624452237663 seconds
 Total Time=5.55997943039858 seconds

The SURL result itself was a bit surprising, as I had seen this result sometime in the recent past. A small search through the logs provided me with lots of matching results and one of the result is as follows:

Checking : h00p://
 ML1=2 #Mal
 ApInv=1 #Mal
 Analysis Time=0.119484595487743

*NOTE: ML1A has been recently added category in SURL Analyzer.*

URL Query Results:

URL: h00p://     
ASN: AS47869 Netrouting Data Facilities
Location: [Netherlands] Netherlands
Report created: 2012-09-02 02:02:03 CET
Status: Report complete.
urlQuery Alerts: Detected BlackHole exploit kit HTTP GET request
Reputation: Unknown

What exactly was surprising about these two results?

Similar to, was also a part of an Exploit Kit (Not yet confirmed whether it was BHEK or some-other exploit-kit). [UPDATE1-> it is BHEK]  [UPDATE2-> The HTML session]

Even though, BHEK v2 authors have added newer functionality for evading AVs and loads of other exploits, however their method of introducing the exploit and loading the exploit into the browser has not changed a bit, infact it just got worse.

BHEK or Phoenix or be it any other exploit kit or any other drive-by download, they have to follow a particular method for initiating the infection, no one can just cannot digress from it. Unless and until the malware authors come up with an innovative idea, SURL Analyzer will *ALWAYS* detect these attempts.

To know more about SURL Analyzer visit here.

Additional Thoughts:

After writing this blog-post, I thought – Why would malware authors try to introduce additional routines ? To make it difficult for researchers to analyze, would be the simple answer and also to evade AVs.

This entry was posted in eScan 11 and tagged . Bookmark the permalink.