A technical paper by Fraser Howard, SophosLabs, UK
2.3 Core kit components
In this section I will describe how the kit works in terms of web traffic flow, in order to describe the sequential loading of exploit content before the user is infected with the payload.
2.3.1 Controlling user web traffic
As with all attacks using exploit kits, the first requirement is for the attacker to guide the user’s browser to the exploit site. There are several ways in which this can be achieved. The following two techniques are used by Blackhole:
Compromised web pages. The attackers compromise legitimate web sites/servers so that web pages served include malicious code. When users browse these pages, the malicious code silently loads content from the exploit site. This technique has been used aggressively by Blackhole, with hundreds of thousands of legitimate sites compromised.
The injected scripts are normally heavily obfuscated, and use a variety of techniques to evade detection. An example compromised page is shown in Figure 3, with the injected script clearly visible at the start of the page. The obfuscation techniques are discussed in more detail in Section 3.
Often the injected redirects do not link directly to the Blackhole exploit site. Instead they reference a remote server from where the request is bounced (HTTP 30x redirection) to the exploit site. This approach is probably favoured since it allows user traffic to be sold as a commodity. The server used is often referred to as a Traffic Directing Server (TDS). This may explain why some of these redirects have been seen leading to other exploit kits, not just Blackhole.
Figure 3: Snippet of code from a web page compromised for Blackhole redirection. The heavily obfuscated script injected into the page is blocked by Sophos as Mal/Iframe-W.
The payload of the injected script from Figure 3 is a simple iframe, as shown in Figure 4.
Figure 4: Deobfuscated redirection script from Figure 3 revealing the characteristic function iframer() payload (in this case to a server which bounces the request to the exploit site).
Of course there are a myriad of ways in which user traffic can be controlled. Sometimes sites do not have to be compromised at all. Recently it was reported that affiliate schemes are abused in order to redirect users to Blackhole. In these attacks, webmasters are willingly adding links to third-party code in order that they receive payment (1 dollar for every 1000 page loads). The fly in the ointment was that some of the unsuspecting users were subsequently getting redirected to Blackhole.
Spam messages. Despite years of user education warning of the dangers of links or attachments in email messages, spam continues to be a useful tool for attackers to trick users. Figure 5 shows two spam messages that illustrate the typical ways in which spam is used for tricking users into browsing to Blackhole exploit sites.
The second example (Figure 5b) shows an email message containing a HTML attachment. The usual flavours of social engineering are used to entice the recipient into opening up the attachment.
Figure 5: Example spam messages used to trick users into browsing to sites hosting Blackhole exploit kit. Messages using (a) link or (b) malicious HTML attachment are shown.