Although this approach has generally been very successful for malware authors, it has had one weakness. If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.
This code uses the setTimeout() DOM function to run a particular piece of code (the anonymous function at the bottom of the code) after half a second. This function calls the following:
- generatePseudoRandomString() function, with a timestamp
- 16, the desired length of the domain name
- ru, the top-level domain name to use
The code then creates a hidden iframe, using the previously-generated domain as the source.
Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed.
Running this code in isolation, it seems that the pseudo-random domain is based on a number which is in turn based on an initial seed value, the current month and the day of the current month. When running the code at the time of writing, it returned:
By changing the date passed to the function we can determine domains that will be used in future. All domains up to 7 August of this year have been registered and all currently resolve to the same IP address. The domains, all recently registered, use private registration, such as details of the registrant not published in WHOIS.
So far we have seen a small but steady stream of compromised domains using this technique. This suggests that this is perhaps some kind of trial or test that could be expanded in future.
Botnet software has used similar techniques in the past (Storm, most famously), but use of this technique in Web exploit kits is an emerging technique.
Web attacks and drive-by downloads continue to be one of the primary ways that enterprise and consumer computers are compromised today. All Norton customers and Symantec Endpoint Protection customers that use our Network-Based Protection technology are proactively protected from Blackhole Web attack toolkits serving up drive-by downloads. The Network Threat Protection technology stops these attacks before they ever get to the end computer. Customers relying on antivirus-only technology may be at risk due to the polymorphic nature of the malware generated by Web attack toolkits like Blackhole. If you do not use Symantec products and are concerned that your computer might have been compromised after visiting a site you can download Symantec’s free Power Eraser tool.
Leave a reply