Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: MysteryFCM on October 02, 2012, 02:49:09 pm

Title: Blackhole exploit: Compromised sites
Post by: MysteryFCM on October 02, 2012, 02:49:09 pm
Quote
Looking at a recent case of a compromised site, I noticed something rather surprising - they're not even bothering to try and make the code difficult to decode. I'm pondering of course, the thought that this is deliberate, due to the changes in v2.0 of the Blackhole exploit (others have already written about that [1 (http://blog.spiderlabs.com/2012/09/blackhole-exploit-kit-v2.html)] [2 (http://www.xylibox.com/2012/09/blackhole-20.html)], so won't go into that here), but even if this is the case, the choice of using far less complex code on compromised sites, is puzzling to say the least.

Read more
http://hphosts.blogspot.co.uk/2012/10/blackhole-exploit-compromised-sites.html
Title: Re: Blackhole exploit: Compromised sites
Post by: SysAdMini on October 02, 2012, 06:08:54 pm
There is only one thing in your article that I don't understand.

Why do want to modify the code?  It works unmodified in Malzilla.
Ok, you are getting a list of eval results. All you have to do is opening the last one at the bottom.
Title: Re: Blackhole exploit: Compromised sites
Post by: MysteryFCM on October 03, 2012, 05:04:45 pm
It wouldn't actually work unmodified when I tried it in Malzilla, regardless of the settings I tried (others normally work depending on the eval() setting used, but this one error'd out every time, until the code was modified).
Title: Re: Blackhole exploit: Compromised sites
Post by: SysAdMini on October 03, 2012, 05:30:07 pm
Hmm, what version are you using ?

I'm using version 1.2.1.0, an unofficial beta  version. Maybe it behaves different than 1.2.0.
Title: Re: Blackhole exploit: Compromised sites
Post by: MysteryFCM on October 03, 2012, 08:20:34 pm
1.2.1.0 here too.