avast! does not detect: BlackHole Exploit Toolkit

Viruses and worms
1

See: https://www.virustotal.com/url/3345047f0ac663c69820d597570befbd3feeffacb35136a4defc7d1a14c40363/analysis/
And: https://www.virustotal.com/file/79b3bcf5269b102fe38c4888350154bd1fdde9454afddc2ad2e062437f4842fe/analysis/1338828393/

Only McAfee detects this zero-day blackhole exploit. And maybe because of the obfuscation method it uses:

[ol]- Inside of the pre and b (bold) tag is an i (italic) tag with the id (identity) of “asd”. This contains the malscript

  • “e” is defined as a window eval (different from regular eval)
  • All “,” characters are removed from “asd”
  • “s” is set as a new variable
  • A loop of createElement is started, repeating until it matches the length of the revised “asd”
  • When (if) the CPU returns the exploit error, it defines “s” as the following:[/ol]

“a” (see above) multiplied by “k” (number when crash occurred) - (12 % [modulus (division remainder)] “k”)

And from there, the eval reads “s”.

info: DecodedGenericCLSID detected D27CDB6E-AE6D-11CF-96B8-444553540000 CA8A9780-280D-11CF-A24D-444553540000
malicious: Alert detected /alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called 13555 times)
See: http://cwe.mitre.org/data/definitions/416.html

More antiviruses need to detect this…

2

Well it is very new…on VT

First seen by VirusTotal
2012-06-04 16:46:33 UTC ( 44 minutter ago )

3

The kind of CVE exploit comes from 2010.

4

Hi !Donovan & Pondus,

urlQuery alerts it: http://urlquery.net/report.php?id=63667 (not a lot of Blackhole that scanner lets slip by),
but what is the really good news here. is that we are being protected by the avast Networkshield, that blocks connection to -main.php?page=4e9648fa89b4c6cc
as URL:Mal immediately. So we are being protected, my friends,

polonus

5

Hi !Donovan and Pondus,

You have to be aware a lot of old malware is being revamped and being recycled to again make the rounds.
I see a lot of that going around lately. The detection patterns have left the memory of the older analysts and the young haven´t met it yet, so it as it is whit fashion: red polka dots from 2007 now reappear as the latest trend for 2012. This goes even for the exploits being used again,

polonus

6

I am now thinking that once a zero-day threat becomes less common the common antivirus removes definitions to save file space. :-\

7

Hi !Donovan,

It is not dramatic, but they have to make a selection the make it go round for the general user to be best protected,
So what to include and what to leave out? The shields will do the additional…

polonus

8

I assume your right Polonus. Too many definitions could slow things down.

It is nice that the netshield blocks the site. :slight_smile: