Blackhole - back bigger and better?

Opinion by Dan Raywood

A Pastebin statement recently emerged that announced the second version of the Blackhole exploit kit.

A Pastebin statement recently emerged that announced the second version of the Blackhole exploit kit.

The statement, translated here, welcomes the reader to the "brand new version of the bundle of exploits".

It said: “For more than two years of existence of our project, the old engine arrival and ligaments badly worn, anti-virus companies have become very quick to recognise that this kind of criteria [is] Blackhole and flag it as malware. In the new version we have rewritten from scratch, and rewritten from scratch is not only part of the issuance of exploits, but also the admin panel.”

While the statement said that the prices to use the kit have remained the same, it did say that among a host of improvements are the ability to prevent the direct download of executable payloads, to only load exploit contents when a client is considered vulnerable and an ability to block TOR traffic.

It also claimed that "your executable will be protected from multiple downloads" so it cannot be downloaded by anti-virus when old exploits have been removed, effectively preventing the direct download of executable payloads.

It also said that it has "implemented maximum protection from automatic systems for downloading exploits [as] used by anti-virus" as generating a dynamic URL, which is valid for a few seconds, you need only do one victim at a time.

Fraser Howard, a principal virus researcher at SophosLabs, said that some of the other additions that interested him were the ability to only load exploit contents when a client is considered vulnerable and a change from a predictable URL structure of filenames and query string parameter names.

Howard said: “The announcement also talks about improvements made to the admin interface. This is important - the author's business is marketing this exploit kit against others on the market. Improvements include several things designed to make it harder for researchers to harvest content from the exploit sites.”

Websense claimed that it found some malicious links in a recent email campaign that led to Blackhole, but with new obfuscation. It said: “We cannot confirm that this example is in fact version 2.0, but it won't be much of a surprise to see a new version of this kit using this new obfuscation.”

Speaking to SC Magazine, AVG CTO Yuval Ben-Itzhak, whose research into the exploit kit found that an average of 70 per cent of attacks were performed by variants of Blackhole, said that the majority of new Blackhole detections were on the new version of Blackhole.

He said: “The IP blocking techniques added to Blackhole version two will make it harder for researchers to find and add detections.”

Asked if he felt that the new version will make it even more effective, Ben-Itzhak said: “Yes, since they continue to change the obfuscation daily. However, since AVG is detecting the obfuscation used in the exploit kits it's not really that big of a change for us.

“Through normal tracking and monitoring AVG was already protecting users during the transition to the new version. So, though they continue to change the obfuscation daily, we are able to track and add detections as needed to protect AVG customers.”

The AVG research from earlier this year offered some insight into the prevalence of the exploit kit and with notable additions to its functions and capabilities, Blackhole may just become much more efficient.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events