Pseudorandom domain name generation and the Blackhole exploit kit

Filed Under: Malware, SophosLabs, Vulnerability

Blackhole. Image from ShutterstockIn this post I want to highlight one of the script injections we have been tracking for the past month or so, which is being used to redirect web traffic to exploit sites (running the Blackhole exploit kit). Two factors make this particular script injection worthy of discussion, namely:

  • large scale attacks. Many legitimate sites have been hit in these attacks.
  • JavaScript generates a random string which is used within the target domain name.

We first this redirect script at the start of June. Sophos products block infected pages as Mal/Iframe-AF, and since early June, the prevalence of this threat has risen to the top of our web threat stats (accounting for 30-50% of all web threat detections).

The injected script is obfuscated as we expect nowadays, and will typically be seen appended to legitimate JavaScript libaries within sites. An excellent write-up here suggests that a vulnerability in Plesk (server admin software) was used to gain access to sites, and add the malicious code.

Deobfuscating the malicious JavaScript is trivial and lets us see the true payload, an iframe redirect. However, this attack is made slightly more interesting by the use of a simple date-based algorthim to generate a random string that is used in the target domain name.

The script generates a random string based on the current date, changing the string every 12 hours. It is a pretty simplistic approach.

This is not the first time we have seen this tactic in malicious JavaScript redirects - Sinowal did something similar back in 2009. Of course, once they have their hands on the code, it is easy for the good guys to generate all the possible domain names and get them blacklisted. Sinowal responded to this by including unpredictable data in its algorithm - using content pulled from a live Twitter feed.

No such elegance here I am afraid. The best we have seen are some later variants of the code which prepend a string for a "random" colour.

The iframe that the script adds to the page is intended to point the browser to a TDS server the attackers control. One of the strings used in some of the iframe URLs is responsible for the 'Runforestrun' nickname that has been attached to this attack. *

Latter variants of the script use different strings, and they have started to use dynamic DNS services for the referenced target sites (a favourite trick we have seen Blackhole use aggressively).

The traffic will be bounced (via a HTTP 302) from the TDS to the exploit site (normally via a second TDS). To date the exploit site has typically been running Blackhole, where the usual array of Java, Flash and PDF exploits are used in order to infect the user.

The final payload users are infected with varies - we have seen these payloads ranging from backdoor Trojans and Zbot to ransomware.

Aside from the Mal/Iframe-AF detection of the initial script redirect, Sophos products block the rest of the components involved in the driveby download chain as follows:

  • blacklisting of the TDS servers
  • blacklisting of the exploit sites
  • detection of the landing page and PDF, Java and Flash components used by Blackhole

The final word on this should probably some advice for site admins whose sites have been hit by this attack. As noted in the excellent blog I linked above, it is believed that a Plesk vulnerability was used to gain access to sites. So admins should ensure they update Plesk, and change ALL associated passwords.

* This is a reference to the "Run Forrest, Run!" line from the film Forrest Gump (spelling has never been the focus of malware authors).

Black hole in space image, courtesy of Shutterstock.

, , , , ,

You might like

3 Responses to Pseudorandom domain name generation and the Blackhole exploit kit

  1. Robert W. · 805 days ago

    Will disabling "Launching programs and files in an IFRAME" in Internet Explorer security settings prevent this type of exploit from running? If so that is a simple
    way to protect yourself.

    That is my Custom setting, to prevent or deter IFRAME based attacks, in all Internet
    Security zones.

  2. Avrelian · 803 days ago

    Robert W: No, launching program and files setting shouldn't matter, this is just a javascript. Active scripting would matter, though. That's how I deal with this stuff: just disable javascript wherever possible.

    • Robert W. · 802 days ago

      Under Scripting, everything except the Clipboard is enabled for websites to
      work while anything which would control my web browser is disabled above
      that in the settings.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.