During our analysis, we have seen that several of the websites have been infected with obfuscated JavaScripts that point to one or the other Browser Exploit Pack (BEP). Typically, BlackHole is the primary weapon for automated infections using Drive-by-download attacks. Recently, another high traffic website is found to be running malicious script that is loading BlackHole to trigger infection.
Java array exploit is on rise nowadays. Microsoft has discussed about the details of this vulnerability at: http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx.
The obfuscated script is present here - http://pastebin.com/nVQcmMsM. The script deobfuscates to the following code as follows:
The URL's are designed to use no-ip or dynamic dns service. According to Wikipedia, "Dynamic DNS or DDNS is a method of updating, in real time, a Domain Name System (DNS) to point to a changing IP address on the Internet. This is used to provide a persistent domain name for a resource that may change location on the network."
We mapped the required IP and doing some behavioral analysis, a plugin detection script was found as present on the following lnk:
Obuscated Code - http://pastebin.com/rK0NaAMh.
Deobfuscated Plugin Detection code - http://pastebin.com/QxiXVRcG
The code fingerprints the browser for running different set of plugins. On finding the vulnerable version of Java plugin, the script downloads the malicious jar file running specific Java exploit.
The decompiled code is present here: http://pastebin.com/5FWMUEtP
Java exploits have become popular. We have also discussed earlier about top 5 Java exploits here: http://secniche.blogspot.com/2011/05/finest-5-java-exploit-on-fire.html.
Java array indexing vulnerability is the new kid in the town. Refer vulnerability - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0507.