A mass injection campaign has been started by attackers who are using the BlackHole exploit kit, in which a number of high traffic influx websites are hacked and injected with an iframe that redirects users to a BlackHole server. The number of websites infected gives a fair idea about the popularity of this toolkit in the crimeware industry. Among the number of websites hacked there is a popular news website in Africa, a popular website among techies, and an official website for colleges overseas. The below image shows the common iframe injected across all affected websites:
The script is decoded by the “getSeconds();” value retrieved from the Date Class. The below image shows the decoded iframe:
The iframe redirects users to the malicious site, which contains the following obfuscated code:
The obfuscated script decodes to a number of popular exploits. The following is a list of the exploits served:
CVE-2010-1885: Help Center URL Validation Vulnerability
CVE-2006-0003: Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability
CVE-2009-1671: Sun Java Runtime Environment ActiveX Control Remote Buffer Overflow Vulnerability
The following code checks the version of Adobe Acrobat installed and accordingly serves the malicious PDF:
The below image shows the obfuscated content inside the PDF once it is downloaded:
The decoded script contains three PDF vulnerabilities:
CVE-2008-2992: Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability
CVE-2009-0927: Adobe Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability
CVE-2009-4324: Adobe Reader 'newplayer()' JavaScript Method Remote Code Execution Vulnerability
The good news is that our customers are protected from this attack. We at Symantec urge our readers to install all security patches and definitions regularly.