Blackhole detections 2H2011.JPG


The Blackhole Exploit kit has received a complete makeover. The authors have completely rewritten the code in order to evade detection by the majority of anti-virus programs. This exploit kit is probably the most successful (and, for PC users, most dangerous) piece of malware around at the moment, and it relies for its success on users who haven't updated operating systems, browsers, and widely-used applications such as Flash, Adobe Reader and Java. ivirus-software-202263

The creators of the infamous Blackhole exploit kit have announced version 2.0 of the malware, claiming to have rewritten the code entirely from scratch so as to evade popular antivirus software. The kit includes noteworthy and nasty tricks, such as the use of short-term, random URLs for delivering exploits, but perhaps in recognition of the still-struggling global economy, the kit's creators aren't changing pricing.


According to Sophos, the Blackhole exploit kit is "the most popular drive-by malware we've seen recently.... It offers sophisticated techniques to generate malicious code. And it's very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious."


In the past few months alone, malicious hackers have used Blackhole to exploit an unpatched MSXML flaw; to exploit Java vulnerabilities; to infect users with fake AV (antivirus) programs via Twitter spam campaigns; and to distribute the GameOver Trojan via a fake U.S. Airways-themed email campaign.



Blackhole 2.0 also has been trimmed of old exploits that have since been fixed, replacing them with a new batch. Further, the creators have broadened the number of OSes the malware can recognize, adding to the list Windows 8 and unspecified mobile platforms, "giving the attacker the ability to break down the amount of traffic he's getting from machines running each individual OS" .


The exploit kit is customisable, so the list of exploits given in the InfoWorld article above is certainly incomplete.



Top exploits 1H12.bmp

The latest Security Intelligence Report from Microsoft (vol. 13) has this to say about the exploit kit in its Summary Section -

Blacole, a family of exploits used by the so-called “Blackhole” exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012.


Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets. It consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components. When the attacker installs the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack.


These attacks frequently use Javascript or IFrames to execute a drive-by attack, one in which simply visiting a compromised website is sufficient to activate the malicious code and download malware to a user's system.


A drive-by download site is a website that hosts one or more exploits that target specific vulnerabilities in web browsers, and browser add-ons. Malware distributors use various techniques to attempt to direct Internet users to Web sites that have been compromised or are intentionally hosting hostile code. Users with vulnerable computers can be secretly infected with malware simply by visiting such a website, even without attempting to download anything themselves.


This technique usually involves posting exploit code to a legitimate website, either by gaining access to the site through intrusion or by posting malicious code to a poorly secured Web form, like a comment field on a blog. In most cases, the exploit code itself is hosted on a different website and is exposed through the compromised webpage using a technique like a URL embedded in malicious script code or an inline frame, called an IFrame for short. An IFrame is an HTML document that is embedded in another HTML document.


During a drive-by download attack, an IFrame is typically used to load a separate HTML page into a window on the current page. Inline frames can be as small as a single pixel making them impossible to detect with the naked eye. Because the IFrame loads another webpage, it can be used by criminals to place malicious HTML content, such as a script that downloads and installs malware, into non-malicious HTML pages hosted by trusted websites.


(Microsoft Security Blog, December 8 2011)



Further information :


"What You Should Know About Drive-By Download Attacks - Part 1" (Microsoft Security Blog, December 8 2011)

"Same Operation, Diversification of Targets Being Spoofed: Current Black Hole Exploit Kit Spam Runs"  (Trend Micro, June 12)

"The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date" (Microsoft Security Blog, July 19)

"Voice Mail Notifications and ADP Emails Lead to Blackhole Exploit Kit"  (Websense, September 13)

"Blackhole Exploit Kit updates to 2.0 "  (Websense, September 13)

"Blackhole 2.0 Beta Tests In The Wild?"  (Trend Micro, September 14)

"The various spam campaigns leading to Blackhole"   (Help Net Security)


"McAfee Labs Threat Advisory - Blackhole Exploit Kit"

Microsoft Encyclopedia entry : JS/Blacole

Microsoft Encyclopedia - detailed description of JS/Blacole

"Microsoft Security Intelligence Report Vol. 13"