Blackhole Exploit Kit 2.0 Gates

Identifying Fields in URI

/links/ OR /detects/ OR /watches/ OR /external/ OR /posts/ OR /lists/ OR /child/ OR /early/ OR /gained/ OR /Url/ OR /causes/ OR /sale/ OR /trial/ OR /close/ OR /final/ OR /receiving/ OR /values/ OR /ambiguous/ OR /Web/ OR /requesting/ OR /lived/ OR /channel/ OR /pleasing/ OR /counted/ OR /government/ OR /implementing/ OR /readers/ OR /decides/ OR /components/ OR /maintain/ OR /poor/ OR /fine/ OR /gather/ OR /proposal/ OR /amounts/ OR /construct/ OR /fresh/ OR /march/ OR /string/ OR /became/ OR /responses/ OR /combinations/ OR /mix/ OR /lasts/ OR /closest/ OR /inferior/ OR /tooths/ OR /look/ OR /amused/ OR /characters/ OR /score/ OR /begin/ OR /responses/
OR /bind/ OR /hours/ OR /walls/ OR /south/ OR /computing/ OR /an/ OR /except/ OR /up/ OR /channel/ OR /suit/ OR /glass/ OR /aims/ OR /covered/ OR /read/ OR /love/ OR /rates/ OR /covered/ OR /feeding/ OR /widely/ OR /purposes/ OR /company/ OR /ignoring/ OR /less/ OR /adfasdfksjdfn/ OR /tells/ OR /latest/ OR /duty/ OR /directly/ OR /freely/ OR /walls/ OR /movie/ OR /these/

Regex for .php GATE

\/(watches|links|detects|external|posts|lists|child|early|gained|Url|causes|sale|trial|close|final|receiving|
requesting|values|ambiguous|Web|lived|channel|pleasing|counted|government|implementing|readers|decides|
components|maintain|poor|fine|gather|proposal|amounts|construct|fresh|march|string|became
|responses|combinations|mix|lasts|closest|inferior|tooths|look|amused|characters|score
|begin|responses|bind|hours|walls|south|computing|an|except|up|channel|suit|glass|aims|covered|read|love|rates|covered|feeding|widely|purposes|company|ignoring|less|adfasdfksjdfn|tells|latest|duty|directly|freely|walls|movie|these)\/[a-z_-]+?\.php$

It should be mentioned that these words are part of a dictionary. These are the ones that i’ve seen utilized heavily as the complete list is fairly large.

Examples:

http://yaocookery.info/links/came_broadcasting_taking-various.php
http://wacookery.info/links/busy-tasks-lacking.php
http://trafficsystem.crabdance.com/links/busy-tasks-lacking.php
http://epistlepu.info/links/busy-tasks-lacking.php
http://heipushbutton.info/links/came_broadcasting_taking-various.php
http://stupidestdia.info/links/busy-tasks-lacking.php
http://frightfulhi.info/links/busy-tasks-lacking.php
http://yahoowebstats4alexa.com/links/busy-tasks-lacking.php

References:

BEK2 on Malwaredomainlist.com

See examples of BEK2 Gates on UrlQuery.net

Update 20/3/2013

@ryancmoon tweeted a good regex for some of the more popular gates.

\/([wW]eb|links|string|[wW]atches|read|server|detects|thought|world|merits|kill)\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php$

This gives good results in urlquery too.

Comments are closed.