Blackhole Exploit Version 2 has been released(For more in-depth details about its functionality visit this link) and for past few days we have been observing its deployment i.e. websites serving this BHEK v2 exploits.
Over this weekend, @malwaremustdie analyzed the infected website and reversed the routine which was used to deliver the payload i.e the shellcode and the dropper. His analysis can be read here, it is worth reading cause it gives you better insights into how analysis is to be done.
As usual, the urls provided by @malwaremustdie, were processed through the Static URL Analyzer and here are the results:
*NOTE – at the time of writing the blog the link was active, hence – exercise caution*
Checking : h00p://bode-sales.net/main.php?page=3c23940fb7350489 Sc1=1 ML1=3 #Mal ML1A=1 #Mal ApInv=1 #Mal Analysis Time=0.110624452237663 seconds Total Time=5.55997943039858 seconds
The SURL result itself was a bit surprising, as I had seen this result sometime in the recent past. A small search through the logs provided me with lots of matching results and one of the result is as follows:
Checking : h00p://festosikal.ru/main.php?page=11d2ab70b8479897 Sc1=1 ML1=2 #Mal ApInv=1 #Mal Analysis Time=0.119484595487743
*NOTE: ML1A has been recently added category in SURL Analyzer.*
URL Query Results:
ResultURL: https://urlquery.net/report.php?id=155787 URL: h00p://festosikal.ru/main.php?page=11d2ab70b8479897 IP: 94.185.83.78 ASN: AS47869 Netrouting Data Facilities Location: [Netherlands] Netherlands Report created: 2012-09-02 02:02:03 CET Status: Report complete. urlQuery Alerts: Detected BlackHole exploit kit HTTP GET request Reputation: Unknown
What exactly was surprising about these two results?
Similar to bode-sales.net, festosikal.ru was also a part of an Exploit Kit (Not yet confirmed whether it was BHEK or some-other exploit-kit). [UPDATE1-> it is BHEK] [UPDATE2-> The HTML session]
Even though, BHEK v2 authors have added newer functionality for evading AVs and loads of other exploits, however their method of introducing the exploit and loading the exploit into the browser has not changed a bit, infact it just got worse.
BHEK or Phoenix or be it any other exploit kit or any other drive-by download, they have to follow a particular method for initiating the infection, no one can just cannot digress from it. Unless and until the malware authors come up with an innovative idea, SURL Analyzer will *ALWAYS* detect these attempts.
To know more about SURL Analyzer visit here.
Additional Thoughts:
After writing this blog-post, I thought – Why would malware authors try to introduce additional routines ? To make it difficult for researchers to analyze, would be the simple answer and also to evade AVs.
