Trojan:JS/BlacoleRef.CM is a detection name for an obfuscated JavaScript, often found inserted into compromised websites. This threat is designed to load a hidden IFrame that loads behind the user's browser, redirecting it to an exploit server known as "Blackhole".
Installation
A user may be infected when they visit a compromised webpage. A vulnerable webpage may allow an attacker to successfully inject a client-side script, which then executes when a user visits the compromised page.
Payload
Exploits vulnerable webpages
The BlacoleRef family is designed to load a hidden IFrame that references a malicious host, which exploits multiple known vulnerabilities in the browser. The malicious host reference contained within the obfuscated JavaScript varies, as the attacker usually has a control over it and may change it at anytime.
Additional information
This threat's payload may vary, depending on what the reference host distributes at the time of compromise. The combination of obfuscated JavaScript within a hidden IFrame referencing a malicious host, and the malicious host itself - which is responsible for dynamically generated content aimed at exploiting a variety of vulnerabilities on the user's computer - are controlled and could be modified by an attacker at any time. This allows it to be highly adaptable to attacker's needs.
The reference host is responsible for loading the main exploit code of "Blackhole", which attacks the computer by executing multiple known and "zero day" vulnerabilities through the browser.
For more information, see the description for the "Blackhole" exploit kit elsewhere in the encyclopedia.
Further reading
Get gamed and rue the day...
Analysis by Methusela Cebrian Ferrer