Exploring the Blackhole exploit kit

A technical paper by Fraser Howard, SophosLabs, UK

Table of contents

← Prev | Next →

3.3 Java

Several of the string manipulation techniques that are used to obfuscate JavaScript and ActionScript content are also used within Java. Some simple examples are shown in Figure 12. This allows for trivial obfuscation of some of the strings commonly used in malicious Java content, for example:

  • exe
  • java.io.tmpdir
  • setSecurityManager
  • os.name
  • regsvr32 –s

Figure 12: Some simple string obfuscations within Blackhole Java content

Figure 12: Some simple string obfuscations within Blackhole Java content.

Since early 2011 Blackhole Java components have aggressively used these simple string obfuscation techniques in an attempt to evade detection. Despite these efforts it is perhaps ironic that during the same period, the filenames often used for the JAR and class files were quite recognisable (worms.jar perhaps being the best example!).

More recently there appears to be increased efforts to evade detection. In addition to string obfuscation, commercial tools are also being used to protect/obfuscate the code. Numerous tools are available, but the two that are mostly used at the time of writing are listed below.

  • Allatori Java obfuscator [29]
  • Zelix KlassMaster [30]

As you would expect these tools deliver much more than just string obfuscation. They also provide name and flow obfuscation, making it extremely hard to convert decompiled code into anything that is readily understandable.

Table of contents

← Prev | Next →

What do you think?