Xanda's Blog !~!

Detecting counter.php – The BlackHole Redirector

Apr
05

Have you ever came across the following line of code injected to your (or you visited) website

If I get it correctly, it is the BlackHole Exploit Kit redirector.

The pattern for this “counter.php” injected script will always be the same, so for system administrator or webmasters, you can use the following yara rule for your detection

rule counterPHPredirectBHEK
{
	meta:
		author = "adnan.shukor@gmail.com"
		description = "Detection rule to detect compromised page injected with invisible counter.php redirector"
		ref = "http://blog.xanda.org/2013/04/05/detecting-counter-php-the-blackhole-redirector"
		cve = "NA"
		version = "1"
		impact = 4
		hide = false
	strings:
		$counterPHP = /\<iframe\ src\=\"https?\:\/\/[a-zA-Z0-9\-\.]{4,260}\/counter\.php\"\ style\=\"visibility\:\ hidden\;\ position\:\ absolute\;\ left\:\ 0px\;\ top\:\ 0px\"\ width\=\"10\"\ height\=\"10\"\/\>$/
	condition:
		all of them
}

Thanks

P/S: MyYaraSIG guys, my Macbook is not able to be boot right now, will commit to the repo later