Exploring the Blackhole exploit kit

A technical paper by Fraser Howard, SophosLabs, UK

Table of contents

← Prev | Next →

3.2 ActionScript

It could be argued that string manipulation in ActionScript is not quite as straightforward as it is in JavaScript, which makes code obfuscation a little trickier. However, there are sufficient methods available which should enable many of the usual tricks to be applied. You can see some of these used in the disassembled code listed in Appendices 4 and 5.

Despite this, the rate at which we have seen the Flash content modified has been significantly (orders of magnitude) less than the HTML, JS and PDF contents. Even when modification has been observed, it is normally fairly minor and insufficient to evade existing generic detection. There are several possibilities to explain this:

  • Attackers are not concerned about the Flash components being reliably detected (unlikely)
  • Attackers do not bother to check detections of the Flash components (unlikely given the fact that Blackhole incorporates AV checking functionality)
  • ActionScript obfuscation techniques are more limited and less mature than JavaScript
  • Building Flash content dynamically on the web server is a lot more complicated than for other components

The latter two points probably provide the best explanation for our observations.

Table of contents

← Prev | Next →

What do you think?