Blackhole with new Obfuscation

[vgwort line=“80″ server=“vg08″ openid=“53a2f874bc98402495d2e659fd12c2d2″]

In a former article I described a method to deobfuscate Blackhole obfuscated JavaScript with shell commands and two simple C-programs.

Today I got a Blackhole Exploit Kit message which lead to a landing page – http://forumibiza.ru:8080/forum/links/column.php – with a new ( for me) – simpler – obfuscation. They didn’t insert random characters in the strings but ignored every pair of two characters which started with an equal sign „=“. My piRadix program guested the radix correct but the preparation for piDecode failed and naturally the decoding failed. I added a simple line to delete all pairs starting with „=“ and everything worked fine with old and new obfuscation.

| sed ’s#=.##g‘ \

Here comes the new script:

#!/bin/sh

# Blackhole decode V1R0M1

if [ -z "$1" ]
then 
  CMD="piRadix"
else
  CMD="piDecode"
fi  

sed 's#\([0-9]\{1,3\}="[^"]*"\)#\n\1\n#g;' \
| grep '^[0-9]*=' \
| sort -n \
| sed 's#^[0-9]*="##; s#"$##;' \
| sed 's#=.##g' \
| tr -dc '0-9a-z' \
| tr -d '\n' \
| $CMD $1

Bash-Shell-Script: blackhole V1R0M1

Modified Script to deobfuscate with one command

The e-mail attachments are obfuscated by the same principle. But they store the data in the elements of a large array instead of attributes of a tag. I put all this in a single script.

#!/bin/sh

# Deobfuscate JavaScript V1R0M1

# Create temp directory

TMPDIR=/tmp/`date +%F`/deobfuscate.$$
mkdir -p "$TMPDIR"

clean_exit()
{

## rm -rf "$TMPDIR"
echo "Melde: Habe fertig!"

}

trap clean_exit EXIT

cat > "$TMPDIR/testpage.html"

if [ -z "$1" ]
then 
  CMD="piRadix"
else
  CMD="piDecode"
fi  

deobfuscate_type1 () {
  
sed 's#\([0-9]\{1,3\}="[^"]*"\)#\n\1\n#g;' \
| grep '^[0-9]*=' \
| sort -n \
| sed 's#^[0-9]*="##; s#"$##;' \
| sed 's#=.##g'

}

deobfuscate_type2 () {
  
  egrep '^n=\[' \
  | sed 's#n=\[##; s#\].*##' \
  | sed 's#"\([0-9a-z]\)"#"0\1#g'

}

clear_digits () {
  
tr -dc '0-9a-z' \
| tr -d '\n'

}
# Test for type of obfuscation
DEOBFUSCATE="deobfuscate_type1"
egrep '^n=\[(".{1,2}",)*".{1,2}"\]' "$TMPDIR/testpage.html" >/dev/null && DEOBFUSCATE="deobfuscate_type2"

$DEOBFUSCATE < "$TMPDIR/testpage.html" \
| clear_digits > "$TMPDIR/coded_script"

RADIX=`piRadix < "$TMPDIR/coded_script"`

piDecode $RADIX < "$TMPDIR/coded_script" > "$TMPDIR/decoded_script"

Bash-Shell_Script: deobfuscate V1R0M1

Usage:

deobfuscate < filename

See also my comment on LAB 69 how to modify the ruby script.

Update 2012-11-07: Today I got a landing page with an additional modification: They subtract 1 before they apply the fromCharCode.

This will require a small modification to the piRadix program. But it should be easy to guess this value.