Nothing is more frustrating than spending days or weeks compromising dozens of Web sites and setting up your network of malicious redirects and then finding out that someone has screwed it all up by taking down one of your infected sites. Luckily, the crew behind the BlackHole exploit kit has solved that problem for its customers by including a new domain-generation algorithm that will help create new malicious sites as quickly as possible.
BlackHole is one of a handful of widely used exploit kits that enable attackers to compromise legitimate Web sites and then serve malicious code to the sites’ visitors. This is done through the use of a collection of exploits included in the toolkit, which are used to attack vulnerabilities in the victim’s browser. In a lot of cases, the exploits that BlackHole and other kits use are designed for somewhat older versions of Web browsers or plug-ins, but they still work because users can be slow about updating.
These exploit kits can be quite effective, but if the owner of one of the compromised sites discovers the infection or just happens to take down the page, it can really mess things up for the attackers. But researchers say that BlackHole has been updated with a new feature that will rapidly create new domain names and iframes that will point to the malicious domain.
Botnets use the same sort of algorithms in many cases to generate new domains for command-and-control functionality as a way to stay ahead of takedown efforts.
“This code uses the setTimeout() DOM function to run a particular piece of code (the anonymous function at the bottom of the code) after half a second,” Nick Johnston at Symantec said in an analysis of the new version of the kit.
This function calls the following:
- generatePseudoRandomString() function, with a timestamp
- 16, the desired length of the domain name
- ru, the top-level domain name to use
The code then creates a hidden iframe, using the previously-generated domain as the source. Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed.”
The domain-generation algorithm depends upon a couple of inputs, one of which is the date. So, changing the date will let you see what domains will be generated on a given day. Johnston said in his analysis that checking on future dates, he saw that all of the possible domains to be generated through Aug. 7 already have been registered, and they point to one IP address.
“So far we have seen a small but steady stream of compromised domains using this technique. This suggests that this is perhaps some kind of trial or test that could be expanded in future,” Johnston said.