Avast does not detect Blackhole site

polonus · July 3, 2012, 4:59pm

See: http://zulu.zscaler.com/submission/show/2d467803c374a4f426104303152c19d4-1341333799
See: http://vscan.urlvoid.com/analysis/eda6dc76935ef4206fa3b0d598beeab2/YWFpci1odG1s/ i detection
Detected here: http://sitecheck.sucuri.net/results/induktionskochplatte.tk/wp-admin/aair.html
Missed here: https://www.virustotal.com/url/bd5f1b2213b3e8057483e96c98fa20f4127420f8a19d1970f175dfc4ddb01416/analysis/1341333989/
http://urlquery.net/queued.php?id=81471
various IDS alerts for
Detected BlackHole exploit kit HTTP GET request
Detected Live BlackHole exploit kit
Detected malicious injected iframe

reported to virus AT avast dot com,

polonus

polonus · July 3, 2012, 5:11pm

Same pattern found here: http://urlquery.net/report.php?id=81490
princess-sales dot net/main.php?page=3eeb1d64e259a3cf
status: (referer=htxp:/twitter.com/trends/)saved 62768 bytes 93b5ded79fcc2b1a3e5e6bcf509fb3e2c7a4e62cfailure: [Errno 13] Permission denied: ‘/var/wXw/maliciousips.txt’
info: [decodingLevel=0] found JavaScript
info: DecodedGenericCLSID detected CA8A9780-280D-11CF-A24D-444553540000 BD96C556-65A3-11D0-983A-00C04FC29E36 d27cdb6e-ae6d-11cf-96b8-444553540000 D27CDB6E-AE6D-11CF-96B8-444553540000
malicious: Alert detected /alert CVE-2006-0003 shellexecute with ./…/44c9f31.ex-
file: 93b5ded79fcc2b1a3e5e6bcf509fb3e2c7a4e62c: 62768 bytes
file: a79e179909484d491a47ac37cc5d65743a8792a3: 16757 bytes

polonus

Donovan · July 3, 2012, 5:21pm

VirusTotal: https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341335845/
Not detected by any antivirus…

system · July 3, 2012, 5:37pm

aair.html
https://www.virustotal.com/file/b2dbcb17cefa879cb3067abcfefb52430faf7fcc5584ca23764da6aa3732c827/analysis/1341336075/
http://wepawet.iseclab.org/view.php?hash=eda6dc76935ef4206fa3b0d598beeab2&type=js

https://www.virustotal.com/file/c0c1637f4808953c89e4f52ad2fe59f0ee3a6817e9b583939c5d827b33bfc719/analysis/1341335550/

Exploit.BlackHole

reported to virus AT avast dot com,

polonus · July 3, 2012, 5:38pm

Hi !Donovan,

What did the shellcode there translate to? Is it a variant of what avast detects as JS:ShellCode-AF[Expl]?
See: http://forum.avast.com/index.php?topic=99293.0

Shellcode , see attached image…
It checks for various OS browser config to infect with Shockwave flash plug-in malware…

polonus

Donovan · July 4, 2012, 12:59am

4 Now Detect.


AntiVir   	JS/Agent.ajy
AVG        	Script/Exploit.Kit
Microsoft 	Exploit:JS/Blacole.GB
Sophos    	Mal/ExpJS-N

https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341363413/

[July 4th Update] 2 More Detect.


Emsisoft 	Exploit.JS.Blacole!IK
Ikarus     	Exploit.JS.Blacole

https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341405519/

polonus · July 4, 2012, 7:30pm

Hi !Donovan,

How about this one (IDS is clear with all alerts): http://urlquery.net/report.php?id=82387
Here it is missed: http://zulu.zscaler.com/submission/show/06768700d558a42f1768359dbc0d1fc3-1341430078

polonus

Donovan · July 4, 2012, 8:50pm

The reason Zulu missed is likely because the content of the URL couldn’t be retrieved, hence HTTP Status Code: 500 Server Unavailable.

[...]Some people get the “domain suspended due to abuse” message while others get redirected to [link removed] and [link removed], which suggests that there is some server-side logic that filters traffic (probably by IP, Referrer , etc.)

http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/

I had to resort to my old HTML viewer. All other advanced HTML fetching programs returned a 302 error. So I also confirm this.

After finally getting the code, I was able to upload to VirusTotal. Results:
https://www.virustotal.com/file/8c029ebba00ddc3e9c15c07679f0ce6e6eb8edb897c429cbe2d17b6ddd40bce7/analysis/1341434784/

0/42…

polonus · July 4, 2012, 9:01pm

Hi !Donovan,

As I reported to you pseudo random domains are now being blocked by the avast Network shield.
I am delighted avast has us all protected here.
Other users read here: http://forum.avast.com/index.php?topic=100691.0

polonus

polonus · July 5, 2012, 1:48pm

Another one with a block of malcious obfuscated script: http://urlquery.net/report.php?id=83006 12 x IDS alert
Code there is heavily obfuscated JavaScript and is hosting a BlackHole Exploit Kit
The BlackHole Exploit Kit is serving the following exploits:
Java Rhino | Java OBE | PDF ALL | PDF LIBTIFF | HCP | FLASH
Sucuri finds it: http://sitecheck.sucuri.net/results/afisha76.ru/acinfo.html and detects MW:ANOMALY:SP7 malware

polonus

Left123 · July 5, 2012, 3:30pm

http://img829.imageshack.us/img829/4253/20120705182844.png

Philip

polonus · July 5, 2012, 3:35pm

Hi Left123,

Thanks for that. An image can say more on malcode than thousands of words,

polonus

Donovan · July 5, 2012, 3:40pm

Sucuri defines MW:ANOMALY:SP7 as suspicious, so I assume that they do not have any records for this malware at hand…yet.

Only 1 detect here: https://www.virustotal.com/file/eecaab8dd661421a1731e0baff23827e17a272de98de6ce3dbed6f00d60e933b/analysis/1341502238/

Edit: As for the BlackHole Landing Page: https://www.virustotal.com/file/8602f7d47c9ae4cd90743760ae4d7238d87fc8ce236c7e639a6b64b4d71c7154/analysis/1341503045/
0/42…
Edit 2: Quick detection by Sophos-- Sophos Mal/ExpJS-N 20120705

==================

[July 5th Update] 8 Total Detect: (Code received in post 2)


AntiVir 	JS/Agent.ajy
AVG         	Script/Exploit.Kit
Emsisoft  	Exploit.JS.Blacole!IK
Ikarus    	Exploit.JS.Blacole
McAfee    	JS/Exploit-Blacole.ec
Microsoft 	Exploit:JS/Blacole.GB
NOD32    	JS/Kryptik.QT
Sophos    	Mal/ExpJS-N

https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341501382/

polonus · July 5, 2012, 4:08pm

Hi !Donovan,

Thanks for keeping a finger onto the pulse of that VT detection for us.
Now you probably see how important it was when urlquery brought that Emerging Threats IDS in
and in a second instance snort IDS to their scanning engine.
It really detects a lot of anomalous patterns in webtraffic vital for early detection of these undetected sites and their malicious patterns.
Html and script analysis also will turn the light on the nature of these sites (Sucuri),
but I find a lot are still going under the normal av solution/anti-malware radar for too long,

polonus

Donovan · July 5, 2012, 4:12pm

20 hours later 3/42 detect…


Commtouch             	JS/Blacole.BZ
F-Prot              	JS/Blacole.BZ
Sophos            	Troj/ExpJS-FB

@Polonus
Indeed, the new IDS alerts are very useful.

I also agree with you. The AV industry need to be more proactive in detecting these exploits.

polonus · July 5, 2012, 4:27pm

Well there are samples that have a good overall detection rate, while it should be said that these EXP/JS.Blacole.BZ variants were up for 132.9 and over 990 hrs. This one of the two is still active (the other one is dead now): https://www.virustotal.com/url/8c258726e3bbd65eeb71a8502f8b902740c2efbfc9749946948862bb0ce52780/analysis/1341505063/
and
https://www.virustotal.com/file/fa80fc1c4b40891c08ef9213ac24531999b610d2e8b69e95278c88d13f67852c/analysis/1341505064/
But it is also of another nature, see the IDS alerts here:
http://urlquery.net/report.php?id=83167 & http://sitecheck.sucuri.net/results/asociacioncivil.info/wp-content/themes/blue-taste/dd_ie.js

No alerts here: http://urlquery.net/report.php?id=83173 … but indeed detected here: http://sitecheck.sucuri.net/results/www.arleta-m.ru/
and again another chip of the same block, but another flaw http://sucuri.net/malware/malware-entry-mwjsde921

Nothing here my friends, nothing… https://www.virustotal.com/url/209d6adec1ef6310a9f573b796bbf91e7d77ec674de168cda946a9ff6445af4f/analysis/1341505736/

polonus

polonus · July 6, 2012, 4:53pm

This one only detected here: https://www.virustotal.com/url/7da548c75b95bc06dad744d3f869fa3fb16c2bfd4a3b680fdbccc466abe05238/analysis/1341593117/
(Sophos)
and here: http://urlquery.net/report.php?id=84023 (content returned see: http://zulu.zscaler.com/submission/show/757757e3b21095d5d57e0c9c3c0a410a-1341593405 ) a possible Blackhole url: http://urlquery.net/report.php?id=83939

polonus

polonus · July 7, 2012, 4:26pm

Another one not detected: https://www.virustotal.com/file/b71668a7dcdbb29663519d5c9b95df12c761dbe4f19cfab0de0e10e8ec378842/analysis/
and http://vscan.urlvoid.com/analysis/d5717c221e81a0aa7a80812d0590e84e/bWFpbi1waHA=/
See: http://urlquery.net/report.php?id=84669
http://zulu.zscaler.com/submission/show/52f12e8d818a4763a491ba3779be9e49-1341678053

polonus

system · July 7, 2012, 4:56pm

Another one…this time history repeats itself

see: https://www.virustotal.com/file/b6d708d5f0242ea2d0caab5336f6e1c3c57b1918a6aac684b63bfba7447cd432/analysis/

and nothing here: http://zulu.zscaler.com/submission/show/7f87a6f3d227005ed04fd0de8f456b91-1341679972

see screenshot…its malicious appendchild Iframe/exploit…

reported all the URL’s in this topic to Virus AT avast DOT com

system · July 7, 2012, 5:04pm

One more…this one is appendC iframe exploit…

http://urlquery.net/report.php?id=83576

reported to virus at avast dot com

Avast does not detect Blackhole site

https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341363413/

Announcements