BleedingLife Malvertisement Campaign

This particular malvertisement shows that hackers are being a little more sneaky. Here’s an innocent website that was involved in a drive-by recently.

The source code reveals little. You could easily dismiss the Javascript as typical code for an ad. Usually, you’d see an obvious iframe tag to a suspicious-looking domain.

But following the link leads you to the ad page where things become much more clearer.

Let’s have a look at the suspicious code at the bottom of the page.

The obfuscation won’t make your head hurt but it is quite clever and uses a couple of new techniques to throw you off. It first starts off by defining two arrays with one containing hex values and the other decimal values. A new array is then created that joins the first two arrays. What you get is this:

185,79
41,9d
462,66
and so on…

It then sorts the array to put the values in the right order. Nice.

0,7a
1,b1
2,a1

Next, it prepends an % character then joins them all up. You end up with this:

The hex values are sent to a function where they are unescaped.

We’re nearing the finish line. Down at the very bottom, the “Iye” function gets the hex value from the array, one at a time and also a decimal value of 62. The function then sends its own array up to the “DCl” function where each decimal value does a look up for a character from the “Muk” variable. The “Iye” function does it again for its second array. This is the line I’m referring to:

jnf[mGZ] = String[DCl([11, 21, 24, 36, 22, 10, 8, 21, 22, 24, 56, 32], 0)](te3[DCl([28, 10, 8, 21, 22, 24, 56, 32, 2, 44], 0)](mGZ) – Tka);

What it translates to is “fromCharCode” and “charCodeAt” which basically turns the above line into the following:

jnf[mGZ] = String.fromCharCode(te3.charCodeAt(mGZ)-Tka);

What this line does is subtract 62 from the value 122 (which is the 7Ah from above) and converts it to “<".

The second converted value in the array is 177 (which is B1h) less 62 equals 115. Convert that to ASCII and you get "s".

The third value is 161 (A1h) less 62 is 99 which is "c".

You keep going until you get this:

The iframe calls up a TDS server and you get sent to another server that delivers an exploit that’s appropriate for your browser/PC. The exploit kit used in this campaign is called BleedingLife v2 Reloaded, which is the sixth iteration of the kit.

Variants: BL v1, BL v2, BL Mini-Java, BL Java Edition, BL Adobe Edition, and now BL v2 Reloaded.

Exploits in this version:

  • CVE-2008-2992
  • CVE-2010-0188
  • CVE-2010-0842
  • CVE-2010-1297
  • CVE-2010-2884
  • CVE-2010-3552
  • JavaSignedApplet (requires user interaction but can be disabled)
  • All exploits bypass ASLR and DEP where needed

BleedingLife v2 Reloaded costs $400 to new buyers.

Posted on: 04/11/2011