Avast WEBforum

Other => Viruses and worms => Topic started by: !Donovan on June 04, 2012, 07:18:24 PM

Title: avast! does not detect: BlackHole Exploit Toolkit
Post by: !Donovan on June 04, 2012, 07:18:24 PM

See: https://www.virustotal.com/url/3345047f0ac663c69820d597570befbd3feeffacb35136a4defc7d1a14c40363/analysis/
And: https://www.virustotal.com/file/79b3bcf5269b102fe38c4888350154bd1fdde9454afddc2ad2e062437f4842fe/analysis/1338828393/

Only McAfee detects this zero-day blackhole exploit. And maybe because of the obfuscation method it uses:

• Inside of the pre and b (bold) tag is an i (italic) tag with the id (identity) of "asd". This contains the malscript
• "e" is defined as a window eval (different from regular eval)
• All "," characters are removed from "asd"
• "s" is set as a new variable
• A loop of createElement is started, repeating until it matches the length of the revised "asd"
• When (if) the CPU returns the exploit error, it defines "s" as the following:

"a" (see above) multiplied by "k" (number when crash occurred) - (12 % [modulus (division remainder)] "k")

And from there, the eval reads "s".

info: DecodedGenericCLSID detected D27CDB6E-AE6D-11CF-96B8-444553540000 CA8A9780-280D-11CF-A24D-444553540000
malicious: Alert detected /alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called 13555 times)
See: http://cwe.mitre.org/data/definitions/416.html

More antiviruses need to detect this..

Title: Re: avast! does not detect: BlackHole Exploit Toolkit
Post by: Pondus on June 04, 2012, 07:33:17 PM

Well it is very new......on VT


First seen by VirusTotal
2012-06-04 16:46:33 UTC ( 44 minutter ago )

Title: Re: avast! does not detect: BlackHole Exploit Toolkit
Post by: !Donovan on June 04, 2012, 08:42:52 PM

The kind of CVE exploit comes from 2010.

Title: Re: avast! does not detect: BlackHole Exploit Toolkit [SOLVED]
Post by: polonus on June 04, 2012, 10:20:56 PM

Hi !Donovan & Pondus,

urlQuery alerts it: http://urlquery.net/report.php?id=63667  (not a lot of Blackhole that scanner lets slip by),
but what is the really good news here. is that we are being protected by the avast Networkshield, that blocks connection to -main.php?page=4e9648fa89b4c6cc
as URL:Mal immediately. So we are being protected, my friends,

polonus

Title: Re: avast! does not detect: BlackHole Exploit Toolkit
Post by: polonus on June 04, 2012, 10:34:10 PM

Hi !Donovan and Pondus,

You have to be aware a lot of old malware is being revamped  and being recycled to again make the rounds.
I see a lot of that going around lately. The detection patterns have left the memory of the older analysts and the young haven´t met it yet, so it as it is whit fashion: `red polka dots` from 2007 now reappear as the latest trend for 2012. This goes even for the exploits being used again,

polonus

Title: Re: avast! does not detect: BlackHole Exploit Toolkit
Post by: !Donovan on June 04, 2012, 11:07:47 PM

I am now thinking that once a zero-day threat becomes less common the common antivirus removes definitions to save file space. :-\

Title: Re: avast! does not detect: BlackHole Exploit Toolkit
Post by: polonus on June 04, 2012, 11:20:57 PM

Hi !Donovan,

It is not dramatic, but they have to make a selection the make it go round for the general user to be best protected,
So what to include and what to leave out? The shields will do the additional....

polonus

Title: Re: avast! does not detect: BlackHole Exploit Toolkit
Post by: !Donovan on June 04, 2012, 11:42:11 PM

I assume your right Polonus. Too many definitions could slow things down.



It is nice that the netshield blocks the site. :)