Sophos Cloud Optix
A technical paper by Fraser Howard, SophosLabs, UK
2.3.2 Landing page
Whatever method is used to control user web traffic, the result is the same: the user’s browser loads code served up from what we call the ‘landing page’ of the exploit kit. The purpose of the landing page is straightforward:
- Capture the parameter included in the URL used. This allows the exploit kit to correlate page requests to the specific individuals or groups responsible for redirecting the victim (for payment purposes).
- Fingerprint the machine. The landing page used by Blackhole uses code from the legitimate PluginDetect library to identify:
- OS
- Browser (and browser version)
- Adobe Flash version
- Adobe Reader version
- Java version
- Load the various exploit components. Based on the information determined in the step above, the relevant exploit components (PDF, Flash, Java etc) are loaded.
Some example landing page URLs for Blackhole are shown below, illustrating the parameter embedded in the query string.
[removed]/google.php?gmpid=2a4baa7030106862
[removed]/check.php?uid=42c1be945fc07c4b
[removed]/main.php?page=c9588fff43ed343a
Within the configuration data for Blackhole exploit kit, this parameter is termed ‘StatParamName‘.
Deobfuscated code from a recent landing page is shown in Appendix 1, with the key script components highlighted.
We have seen malicious URLs with a different format also triggering detections associated with the Blackhole landing page. For example:
[removed].in/t/a92b21c45c3ef0827e3dcf9c20972ec7
[removed].ftp1.biz/t/eb6d7764d6d6df02ed22a227a03b9f91
[removed].ddns.info/t/1baed7122e877523eb375daf0ffc45e6
These are suspected to be other exploit sites that happen to be copying some of the same obfuscation techniques used by Blackhole (Section 3).