Avast does not detect Blackhole site

[polonus]

See: http://zulu.zscaler.com/submission/show/2d467803c374a4f426104303152c19d4-1341333799
See: http://vscan.urlvoid.com/analysis/eda6dc76935ef4206fa3b0d598beeab2/YWFpci1odG1s/  i detection
Detected here: http://sitecheck.sucuri.net/results/induktionskochplatte.tk/wp-admin/aair.html
Missed here: https://www.virustotal.com/url/bd5f1b2213b3e8057483e96c98fa20f4127420f8a19d1970f175dfc4ddb01416/analysis/1341333989/
http://urlquery.net/queued.php?id=81471
various IDS alerts for
Detected BlackHole exploit kit HTTP GET request
Detected Live BlackHole exploit kit
Detected malicious injected iframe

reported to virus AT avast dot com,

polonus

[polonus]

Same pattern found here: http://urlquery.net/report.php?id=81490
princess-sales dot net/main.php?page=3eeb1d64e259a3cf
     status: (referer=htxp:/twitter.com/trends/)saved 62768 bytes 93b5ded79fcc2b1a3e5e6bcf509fb3e2c7a4e62cfailure: [Errno 13] Permission denied: '/var/wXw/maliciousips.txt'
     info: [decodingLevel=0] found JavaScript
     info: DecodedGenericCLSID detected CA8A9780-280D-11CF-A24D-444553540000 BD96C556-65A3-11D0-983A-00C04FC29E36 d27cdb6e-ae6d-11cf-96b8-444553540000 D27CDB6E-AE6D-11CF-96B8-444553540000
     malicious: Alert detected /alert CVE-2006-0003 shellexecute with ./../44c9f31.ex-
     file: 93b5ded79fcc2b1a3e5e6bcf509fb3e2c7a4e62c: 62768 bytes
     file: a79e179909484d491a47ac37cc5d65743a8792a3: 16757 bytes

polonus

[!Donovan]

VirusTotal: https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341335845/
Not detected by any antivirus..

[REDACTED]

aair.html
https://www.virustotal.com/file/b2dbcb17cefa879cb3067abcfefb52430faf7fcc5584ca23764da6aa3732c827/analysis/1341336075/
http://wepawet.iseclab.org/view.php?hash=eda6dc76935ef4206fa3b0d598beeab2&type=js

https://www.virustotal.com/file/c0c1637f4808953c89e4f52ad2fe59f0ee3a6817e9b583939c5d827b33bfc719/analysis/1341335550/

Exploit.BlackHole


reported to virus AT avast dot com,

[polonus]

Hi !Donovan,

What did the shellcode there translate to? Is it a variant of what avast detects as JS:ShellCode-AF[Expl]?
See: http://forum.avast.com/index.php?topic=99293.0

Shellcode , see attached image..
It checks for various OS browser config to infect with Shockwave flash plug-in malware...

polonus

[!Donovan]

VirusTotal: https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341335845/
Not detected by any antivirus..

4 Now Detect.

Code: [Select]

AntiVir    JS/Agent.ajy
AVG        Script/Exploit.Kit
Microsoft Exploit:JS/Blacole.GB
Sophos    Mal/ExpJS-Nhttps://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341363413/
----------------------
[July 4th Update] 2 More Detect.

Code: [Select]

Emsisoft Exploit.JS.Blacole!IK
Ikarus      Exploit.JS.Blacole
https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341405519/

[polonus]

Hi !Donovan,

How about this one (IDS is clear with all alerts): http://urlquery.net/report.php?id=82387
Here it is missed: http://zulu.zscaler.com/submission/show/06768700d558a42f1768359dbc0d1fc3-1341430078

polonus

[!Donovan]

The reason Zulu missed is likely because the content of the URL couldn't be retrieved, hence HTTP Status Code: 500 Server Unavailable.

[...]Some people get the “domain suspended due to abuse” message while others get redirected to [link removed] and [link removed], which suggests that there is some server-side logic that filters traffic (probably by IP, Referrer , etc.)

http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/

I had to resort to my old HTML viewer. All other advanced HTML fetching programs returned a 302 error. So I also confirm this.

After finally getting the code, I was able to upload to VirusTotal. Results:
https://www.virustotal.com/file/8c029ebba00ddc3e9c15c07679f0ce6e6eb8edb897c429cbe2d17b6ddd40bce7/analysis/1341434784/


0/42..

[polonus]

Hi !Donovan,

As I reported to you pseudo random domains are now being blocked by the avast Network shield.
I am delighted avast has us all protected here.
Other users read here: http://forum.avast.com/index.php?topic=100691.0


polonus

[polonus]

Another one with a block of malcious obfuscated script: http://urlquery.net/report.php?id=83006  12 x IDS alert
Code there is heavily obfuscated JavaScript and is hosting a BlackHole Exploit Kit
The BlackHole Exploit Kit is serving the following exploits:
Java Rhino | Java OBE | PDF ALL | PDF LIBTIFF | HCP | FLASH
Sucuri finds it: http://sitecheck.sucuri.net/results/afisha76.ru/acinfo.html  and detects MW:ANOMALY:SP7 malware

polonus

[Left123]

Another one with a block of malcious obfuscated script: http://urlquery.net/report.php?id=83006  12 x IDS alert
Code there is heavily obfuscated JavaScript and is hosting a BlackHole Exploit Kit
The BlackHole Exploit Kit is serving the following exploits:
Java Rhino | Java OBE | PDF ALL | PDF LIBTIFF | HCP | FLASH
Sucuri finds it: http://sitecheck.sucuri.net/results/afisha76.ru/acinfo.html  and detects MW:ANOMALY:SP7 malware

polonus

Philip

[polonus]

Hi Left123,

Thanks for that. An image can say more on malcode than thousands of words,

polonus

[!Donovan]

Sucuri defines MW:ANOMALY:SP7 as suspicious, so I assume that they do not have any records for this malware at hand..yet.

Only 1 detect here: https://www.virustotal.com/file/eecaab8dd661421a1731e0baff23827e17a272de98de6ce3dbed6f00d60e933b/analysis/1341502238/

Edit: As for the BlackHole Landing Page: https://www.virustotal.com/file/8602f7d47c9ae4cd90743760ae4d7238d87fc8ce236c7e639a6b64b4d71c7154/analysis/1341503045/
0/42..
Edit 2: Quick detection by Sophos-- Sophos    Mal/ExpJS-N    20120705

==================

[July 5th Update] 8 Total Detect: (Code received in post 2)

Code: [Select]

AntiVir JS/Agent.ajy
AVG          Script/Exploit.Kit
Emsisoft  Exploit.JS.Blacole!IK
Ikarus    Exploit.JS.Blacole
McAfee    JS/Exploit-Blacole.ec
Microsoft Exploit:JS/Blacole.GB
NOD32    JS/Kryptik.QT
Sophos    Mal/ExpJS-Nhttps://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341501382/

[polonus]

Hi !Donovan,

Thanks for keeping a finger onto the pulse of that VT detection for us.
Now you probably see how important it was when urlquery brought that Emerging Threats IDS in
and in a second instance snort IDS to their scanning engine.
It really detects a lot of anomalous patterns in webtraffic vital for early detection of these undetected sites and their malicious patterns.
Html and script analysis also will turn the light on the nature of these sites (Sucuri),
but I find a lot are still going under the normal av solution/anti-malware radar for too long,

polonus

[!Donovan]

After finally getting the code, I was able to upload to VirusTotal. Results:
https://www.virustotal.com/file/8c029ebba00ddc3e9c15c07679f0ce6e6eb8edb897c429cbe2d17b6ddd40bce7/analysis/1341434784/


0/42..

20 hours later 3/42 detect..

Code: [Select]

Commtouch              JS/Blacole.BZ
F-Prot              JS/Blacole.BZ
Sophos            Troj/ExpJS-FB
@Polonus
Indeed, the new IDS alerts are very useful.

I also agree with you. The AV industry need to be more proactive in detecting these exploits.