Author Topic: Blackhole exploit: Compromised sites  (Read 9602 times)

0 Members and 1 Guest are viewing this topic.

October 02, 2012, 02:49:09 pm
Read 9602 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Quote
Looking at a recent case of a compromised site, I noticed something rather surprising - they're not even bothering to try and make the code difficult to decode. I'm pondering of course, the thought that this is deliberate, due to the changes in v2.0 of the Blackhole exploit (others have already written about that [1] [2], so won't go into that here), but even if this is the case, the choice of using far less complex code on compromised sites, is puzzling to say the least.

Read more
http://hphosts.blogspot.co.uk/2012/10/blackhole-exploit-compromised-sites.html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

October 02, 2012, 06:08:54 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
There is only one thing in your article that I don't understand.

Why do want to modify the code?  It works unmodified in Malzilla.
Ok, you are getting a list of eval results. All you have to do is opening the last one at the bottom.
Ruining the bad guy's day

October 03, 2012, 05:04:45 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
It wouldn't actually work unmodified when I tried it in Malzilla, regardless of the settings I tried (others normally work depending on the eval() setting used, but this one error'd out every time, until the code was modified).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

October 03, 2012, 05:30:07 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Hmm, what version are you using ?

I'm using version 1.2.1.0, an unofficial beta  version. Maybe it behaves different than 1.2.0.
Ruining the bad guy's day

October 03, 2012, 08:20:34 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net