An updated version of the Blackhole Exploit Kit appears to now offer an emerging technique to boost infection and redirection rates: a pseudo-random domain generator.
The automation feature was discussed this week in a blog post by Symantec security researcher Nick Johnston, in which he outlined how a script injected into a compromised site can regularly register other URLs to maintain the Web-based attack.
Malware writers often use drive-by download attacks to drop their malicious code into a user’s system, typically through a hidden iframe, and exploit vulnerabilities in different operating systems, Web browsers and add-ons.
In response to Johnston’s post, researchers at StopMalvertising.com wrote about their own findings and suggested the recent attacks are not exclusive to the Blackhole Exploit Kit. They also said the decoded script shows a new domain is generated every 12 hours.
The researchers found the pseudo-random domain register present in the .ASP file and AC_RunActiveContent.js of an infected site. The malicious code redirected first to a RedKit Exploit Kit before it again redirected to a BlackHole Exploit Kit hosted at another site through domains acting as rotators. These rotators “point users to different destinations each time the link is requested or deliver different content based on the geographic location of the visitor.”
The number of compromised domains using this technique remains small at present, but its use in Web exploit kits could grow exponentially if the trials are a success, Johnston said.