BlackHole Exploit's Pseudo-Random Algorithm--Ripped?

Donovan · June 29, 2012, 5:27pm

Compare:
2012 ~ http://www.symantec.com/connect/blogs/blackhole-exploit-kit-gets-upgrade-pseudo-random-domains
2009 ~ http://stackoverflow.com/questions/424292/how-to-create-my-own-javascript-random-number-generator-that-i-can-also-set-the

Is it possible that the original algorithm came from this StackOverFlow question?

New lines given in the BlackHole Exploit Version:

var s = d.[i]getHours/i > 12 ? 1 : 0;

Lines moved in the BlackHole Exploit Version (moved to function generatePseudoRandomString(unix, length, zone)):

var rand = new RandomNumberGenerator();

Also, the function RandomNumberGenerator passes the variable “unix” in the BlackHole Exploit version and not in the original.

polonus · June 29, 2012, 8:53pm

Thanks for the heads-up on this threat, !Donovan,
80 pre-registered malcode domains detected,
the endless war between the dark and the light goes on,
but remember one candlelight can beat the dark’s cover,
so shine on benevolent coders and analysts,

polonus

BlackHole Exploit's Pseudo-Random Algorithm--Ripped?

New lines given in the BlackHole Exploit Version:

var s = d.[i]getHours/i > 12 ? 1 : 0;

Lines moved in the BlackHole Exploit Version (moved to function generatePseudoRandomString(unix, length, zone)):

var rand = new RandomNumberGenerator();

Announcements