In the morning of May 12th our malware outbreak sensors registered another BlackHole outbreak hitting one of the Top 200 Alexa rank domains: Answers.com. Its RSS feed generated resource was infected with BlackHole exploit kit. The XML output file at the URL feeds.answers.com was prepended with an obfuscated JavaScript. The malicious code looks like this:
The decrypted code creates a hidden IFRAME tag with malicious reference in it:
At the time of the infection discovery we have registered couple of malware-serving domains:
vjlnwoof.dhcp.biz: 146.185.255.191 hosted in Russian Federation
mvulhlky.tld.cc: 199.59.241.250 hosted in China
ring.t3.estrack.net: 220.77.243.249 hosted in South Korea
The malicious JavaScript is detected by the latest version of AVG as variant of Script/Exploit.Kit Trojan family. If recognized by AVG LinkScanner it is reported as BlackHole Type exploit.
While writing this article our sensors reported another alert on a domain Staticyonkis.com. Their advertisement delivery is infected by the same BlackHole malware. The number of blocked intrusions from this domain reported by our clients is around 496.000 hits and the number is still increasing. The VirusTotal detection ratio of this malware is rather low 7/42.
Jiri Kropac
Leave a reply
