BlackHole Kit Doesn't Like Chrome
[Adnan, who is already an accomplished security researcher and blogger, has recently joined Blue Coat. He did this research a week or so ago, and wrote it up for our internal blog this week. Sorry about the delay in pushing it out, Adnan! -- C.L.]
Recently, we’ve started to see the BlackHole Exploit Kit (BHEK) using plain HTML files (instead of iframes) as redirectors to the exploit page.
Here is the source code for those .JS files:
When a victim is redirected to the PHP file that serves the real exploits, the script will first check the user agent string to identify the browser. If it is found to be Chrome, it will redirect the victim to yet another page, with a fake Chrome update installer.
Here is the VirusTotal scan result of the fake Chrome update installer: https://www.virustotal.com/file/a13483a02f4a52cbeea1387add13cb34b769c0fc7555c8c75c7f18060f0bc934/analysis/
If Firefox or Internet Explorer was used instead of Chrome, the PHP file will serve the normal BHEK payload, which will usually attempt to exploit multiple vulnerabilities that exist in Acrobat Reader, Java, and Internet Explorer.
So why not Chrome? I assume this is due to the features in Chrome itself that will ask for permission before running Java applets, and Chrome will also render PDF in its own built in PDF reader (rather than using Adobe Reader). So if you want to perform a proper analysis on BHEK, make sure you 'wget' with the proper user agent, or use 'view-source' accordingly.
That’s all from me for now. Stay safe!
-- Adnan Shukor