Malware Must Die!: Understanding Recent Blackhole Exploit Kit's "js.js" Infector Trend for Smart Hunting

Saturday, September 1, 2012
Understanding Recent Blackhole Exploit Kit's "js.js" Infector Trend for Smart Hunting

When I hunt honeypot blackhole exploit kit (BHEK) blacklist 
for infections I often come to see some URLs ending up with js.js on it.
The file will be the same in extention but actually it has differences in 
contents depend on malware epidemic exploitation / how the BHEK want to 
infect users at that time. 

Previously, the trend I found in the js.js code was a mere and 
common injected obfuscation script like :

 or 

↑It was obvious that we must crack this code for getting to the next -
hop of the malware source.

But the recent js.js that I found was mostly/practically a javascript calls to 
another text file contains "document.location=" of a certain blackhole sites.
The moral of this writing is, we can nail bigger stuffs / new epidemic by 
understanding the parameter produced by the recent terms.

Allow me to demonstrate this theory. Let's see the below real infected urls:
209.215.118.13  hXXp://209.215.118.136/fFDrSXRM/js.js
200.219.245.75  hXXp://aainstalacoeseletricas.com.br/3XmimsHL/js.js
184.107.196.218 hXXp://www.celucentro.com.co/qgmZiWk7/js.js
82.98.87.89     hXXp://wilde.webprojekt.ch/v8bPW1U4/js.js
85.214.26.149   hXXp://advantage-media-sports.com/26MxXngr/js.js
194.170.160.46  hXXp://www.admirals.ae/mC9o9rRd/js.js

This will connect you to the certain "document.location=" below:
document・location='hXXp://209.59.222.20/pxyk80ujzb03h.php?y=pju39rz4qpnogd84';
document・location='hXXp://50.116.54.37/pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi';
document・location='hXXp://173.230.130.248/pxyk80ujzb03h.php?y=078eb263358008ea';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=gawit01smae175m0';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=pju39rz4qpnogd84';

The lesson teach us to understand the curent trend of parameter used in 
blackhole, which is :/pxyk80ujzb03h.php?y=

Let's proof this theory by searching the above strings in the -
malware domain list site:


↑*) Click to enlarge the pic
↑Voila! We got ourself a new hunting field. :-) 
PS: This posts is dedicated to fellow malware hunters
#MalwareMustDie!