2013-06-29 - Evolution

Blackhole Exploit Kit goes 2.1.0, shows new URL Patterns


Paunch Announcement
Original Text :
------------------------------------------
Версия 2.1.0

Небольшие изменения в функционале, выдаче, и другом

+ Аренда теперь включает наши домены, заметьте за те же деньги !!!
+ Оставлена возможность лить и на свои домены
------------------------------------------
translated by Google as :
------------------------------------------
version 2.1.0

Small changes in the functional, extradition and other

+ Rent now includes our domains, notice for the same money!
+ Left open and pour on your domains
------------------------------------------

Was not sure to write about it cause my first pass on it were not showing noticeable change but since at least yesterday morning new URL pattern appeared.

See on this tailored (CVE-2011-3402) BH EK :

New Pattern in Blackhole Exploit Kit 2013-06-28
GET http://paidopleasures .com/ngen/controlling/london.php
200 OK (text/html)

GET http://paidopleasures .com/ngen/shrift.php
200 OK (application/octet-stream)

GET http://paidopleasures .com/ngen/controlling/london.php?pDtmU=ePRGAJRDWk&CMSgsQynkuLvs=JnhjMIPLmQY
200 OK (application/java-archive)

GET http://paidopleasures .com/ngen/controlling/london.php?gTYAkZyF=6435663034&KxTto=6c435445&nrmxDgWMK=336136383730663731383a3a333239363339363536333a3a64616232366534646537&twOEdKHjPxlfNw=EFvuAnQcZLhfFbp
200 OK (application/x-shockwave-flash)

GET http://paidopleasures .com/ngen/controlling/london.php?Pf=6435663034&Ne=33613638373066373138&N=30&vi=a&KB=A
200 OK (application/x-msdownload)

In that pass the Payload was not encoded. I thought this could be specific to this Blackhole.
Then I saw same pattern on Paunch Rented Blackhole...

Paunch Rented BH EK 2.1.0 showing new URL Pattern 2013-06-29
GET http://ufaluwozub.bounceme .net/fine/shape-creation.php
200 OK (text/html)

GET http://ufaluwozub.bounceme .net/fine/shape-creation.php?yQomhhoPDPwQ=3433333738&laHbfi=42516374&TpIaPwMbCOJnpDO=30313636613435353332&eLdQQ=IBjKTFIkTbBQdqq
200 OK (application/x-shockwave-flash)

GET http://ufaluwozub.bounceme .net/fine/shape-creation.php?CgdWKXmfoKifsN=sZOssufdRLslud&pcxuSaClYajZ=bscvVVsmaEL
200 OK (application/java-archive)

GET http://ufaluwozub.bounceme .net/fine/shape-creation.php?Gf=3433333738&We=30313636613435353332&l=30&oZ=B&ln=U&jopa=1192361
200 OK (application/x-msdownload)

Note for comparison : the same Blackhole instance, other thread, on  2013-06-25 :
Paunch Rented BH EK 2.1.0 showing "old" pattern on 2013-06-25
A fast look let notice that parameters names are now also integrating Caps letter and second parameter of payload (successful infection) moved from : 

((1[f-o]|2[v-w]|3[0-3]):){9}(1[f-o]|2[v-w]|3[0-3]) 

to 

(3[0-9]|6[1-6]){10}

<edit1: 2013-07-29>  This second parameters is now more dynamic. This Regexp is not valid anymore <edit1>


Not sure to understand why the URL pattern change occurs one week after the upgrade announcement