Blackhole with new Obfuscation

In a former article I described a method to deobfuscate Blackhole obfuscated JavaScript with shell commands and two simple C-programs.

Today I got a Blackhole Exploit Kit message which lead to a landing page – http://forumibiza.ru:8080/forum/links/column.php – with a new ( for me) – simpler – obfuscation. They didn’t insert random characters in the strings but ignored every pair of two characters which started with an equal sign „=“. My piRadix program guested the radix correct but the preparation for piDecode failed and naturally the decoding failed. I added a simple line to delete all pairs starting with „=“ and everything worked fine with old and new obfuscation.

| sed ’s#=.##g‘ \

Here comes the new script:

„Blackhole with new Obfuscation“ weiterlesen

How to deobfuscate Blackhole Java-Script

This article describes my investigations of the Java-Script obfuscation currently used by the Blackhole Exploit Kit. My intend was to write some smal scripts to automatically deobfuscate the Java-Script without using Java-Script itself. Using Java-Script with a little help would be an easy task because you only have to identify the point where the „eval“-fucntion is called and repalce it with an alert- or document-write function. My intend was to fully automate the deobfuscation to used it by an mail-scanner or a proxy-server.

I an former article I investigated the LinkedIn Spam and showed an example of a landing page assure_numb_engineers.php I downloaded from the server. Thanks to the daily spam and some web-sites listing the active servers I could get my hand on some more landing pages. Most of them looked like the example below.

In the next few paragraphs I will explain how the decoding and encoding works and develop explain a solution for decoding without deciphering the javascripts of a certain class.

„How to deobfuscate Blackhole Java-Script“ weiterlesen