[Security] Analysis of a Blackhole Exploit page
The Blackhole Exploit kit is still a very popular attack on the web. They are many variants of the threat. Here is a detailed analysis of one Exploit kit page and the obfuscation technique leveraged by the attack.
The code below was delivered by Malzilla following the aforementioned adjustments (I've cut out the encoding data):
I can now execute the script. The obfuscation requires many passes to fully decode the data andit takes quite a while to complete.
Now, let's examine the output from Malzilla. The first part addresses a "Please wait page is loading..." message, very typical of the Blackhole Exploit kit so that the victim remains patient while the exploit code executes.
Depending on what browser information was obtained, different exploits can be delivered. It could for example be a malicious Java applet:
... or a remote code execution targeting a known Internet Explorer vulnerability:
.. or a malicious PDF file:
... or a malicious Flash file:
Separating the exploit into an encoded payload and a decoding loop made it easier for the exploit kit creators to create an infinite array of different pages in order to evade detection. The Exploit kit is also more sophisticated than many other exploits as it is able to use the right exploit for each visitor.