Updated Blackhole Exploit Kit Uses Random Domain Generation

An updated version of the Blackhole Exploit Kit appears to now offer an emerging technique to boost infection and redirection rates: a pseudo-random domain generator.The automation feature was discussed this week in a blog post by Symantec security researcher Nick Johnston, in which he outlined how a script injected into a compromised site can regularly register other URLs to maintain the Web-based attack.

An updated version oBlackholef the Blackhole Exploit Kit appears to now offer an emerging technique to boost infection and redirection rates: a pseudo-random domain generator.

The automation feature was discussed this week in a blog post by Symantec security researcher Nick Johnston, in which he outlined how a script injected into a compromised site can regularly register other URLs to maintain the Web-based attack.

Malware writers often use drive-by download attacks to drop their malicious code into a user’s system, typically through a hidden iframe, and exploit vulnerabilities in different operating systems, Web browsers and add-ons.   

“Although this approach has generally been very successful for malware authors, it has had one weakness. If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical,” Johnston wrote. “To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains, based on the date and other information, and then creates an iframe pointing to the generated domain.”

In response to Johnston’s post, researchers at StopMalvertising.com wrote about their own findings and suggested the recent attacks are not exclusive to the Blackhole Exploit Kit. They also said the decoded script shows a new domain is generated every 12 hours.

The researchers found the pseudo-random domain register present in the .ASP file and AC_RunActiveContent.js of an infected site. The malicious code redirected first to a RedKit Exploit Kit before it again redirected to a BlackHole Exploit Kit hosted at another site through domains acting as rotators. These rotators “point users to different destinations each time the link is requested or deliver different content based on the geographic location of the visitor.”

The number of compromised domains using this technique remains small at present, but its use in Web exploit kits could grow exponentially if the trials are a success, Johnston said.

Suggested articles

New IE 10 Zero Day Targeting Military Intelligence

A new campaign, dubbed Operation SnowMan, was been spotted leveraging a previously unknown zero-day in Internet Explorer 10 after the U.S. Veterans of Foreign Wars’ website was compromised this week.