Author Topic: BlackHole Exploit's Pseudo-Random Algorithm--Ripped?  (Read 2420 times)

0 Members and 1 Guest are viewing this topic.

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
BlackHole Exploit's Pseudo-Random Algorithm--Ripped?
« on: June 29, 2012, 07:27:22 PM »
Compare:
2012 ~ http://www.symantec.com/connect/blogs/blackhole-exploit-kit-gets-upgrade-pseudo-random-domains
2009 ~ http://stackoverflow.com/questions/424292/how-to-create-my-own-javascript-random-number-generator-that-i-can-also-set-the

Is it possible that the original algorithm came from this StackOverFlow question?

New lines given in the BlackHole Exploit Version:
---------
var s = d.getHours() > 12 ? 1 : 0;
---------

Lines moved in the BlackHole Exploit Version (moved to function generatePseudoRandomString(unix, length, zone)):
---------
var rand = new RandomNumberGenerator();
---------

Also, the function RandomNumberGenerator passes the variable "unix" in the BlackHole Exploit version and not in the original.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Re: BlackHole Exploit's Pseudo-Random Algorithm--Ripped?
« Reply #1 on: June 29, 2012, 10:53:06 PM »
Thanks for the heads-up on this threat, !Donovan,
80 pre-registered malcode domains detected,
the endless war between the dark and the light goes on,
but remember one candlelight can beat the dark's cover,
so shine on benevolent coders and analysts,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!