Saturday, January 29, 2011

Black Hole - Exploit Obfuscation



Recently, we were analyzing some of the exploits bundle together with BlackHole exploit pack. Again we want to say that "Russian Malware is on Fire". BlackHole exploit pack is emerging with fast pace thereby exploiting the browsers at rapid pace.



During our analysis, we came across certain number of malicious files labeled as "new.avi". In reality, these files were exploits that are obfuscated in a good manner. On digging deeper, we find that BlackHole exploit pack is using a well designed JavaScript obfuscation mechanism in order to encode the code thereby resulting in bypass of all sorts of anti viruses. We conducted a small test of relative malicious binary "new.avi" which was a Java SMB exploit for "CVE-2010-1423", "CVE-2010-0886". On carrying anti virus detection test, we found that all AV's failed to detect it.



This completely shows the fact that, JavaScript obfuscation is used in BlackHole exploit pack is not easily detectable by the AV agents. On continuous approach of understanding the artifacts, we confirm that Blackhole is using "Crypt" code in order to obfuscate the exploits. The domain is "CRYPT.IM" as presented below



This service challenges that crypt can bypass all types of AV,s. Well give a try.