New version of Blackhole exploit kit

Filed Under: Featured, Mobile, SophosLabs, Vulnerability

Yesterday there were reports of an announcement that a new version (v2.x no less) of Blackhole exploit kit is on its way.

Blackhole is arguably the most successful exploit kit we have seen over the past couple of years, and we have described it in detail before (v1.x). The opening paragraph sets out what appears to be the main aim of the new version - improve how well they evade security measures:

Are pleased to welcome you to a brand new version of the bundle of exploits. For more than 2 years of existence of our project, the old engine arrival and ligaments badly worn, AV companies have become very quick to recognize that this kind of criteria BlackHole and flag it as malware.

Further down in the announcement are several interesting claims, some of which are summarised below:

  • prevent direct download of executable payloads
  • only load exploit contents when client is considered vulnerable
  • drop use of PluginDetect library (performance justification)
  • remove some old exploits (leaving Java atomic & byte, PDF LibTIFF, MDAC)
  • change from predictable url structure (filenames and querystring parameter names)

Good to see that we are seen to not be sleeping :)

Developed and implemented a lot more features about which bragging and shouting in public is simply not reasonable, because competition and the AV companies do not nap.

The announcement also talks about improvements made to the admin interface. This is important - the author's business is marketing this exploit kit against others on the market. As you can see, improvements include several things designed to make it harder for researchers to harvest content from the exploit sites:

  • update machine stats to include Windows 8 and mobile devices
  • better breakdown of plug-in version information
  • improved checking of referrer
  • block TOR traffic

Information about the pricing of the new version is also provided.

Rent on our server:
-Day rental - $ 50 (limit traffic 50k hits)
-Week rental - $ 200 (limit traffic 70k hits a day)
-Month rental - $ 500 (limit traffic 70k hits a day)
if needed, traffic limit can be raised for the additional fee

The license for your server:
-License for 3 months $ 700
-The license for six months $ 1,000
License for 1 year $ 1500

multidomain bundle version - $ 200 one-time fee for the duration of the license (not binding to the domain and the ip)
change of the domain on the standard bundle version - $ 20
change ip for multidomain bundle version - $ 50
a one-time cleaning - $ 50
auto-updates for a month - $ 300 (auto-update, as soon as your cryptor is identified)

So, fun times ahead it would appear. Watch this space for an update when we actually start seeing this new version of the kit in use.

Thanks to Anna S for assistance in translating portions of the text.


You might like

8 Responses to New version of Blackhole exploit kit

  1. Bart · 1120 days ago

    Could you please explain to me why would the authors of BlackHole want to block TOR traffic?


  2. Nigel · 1120 days ago

    Such brashly open scumbaggery makes me want to resign from the human species. Do the douche bags who write such crimeware have no conscience whatsoever?

    OK...that's a rhetorical question. I already know the answer is "No". It just blows my mind that such unabashedly malicious knaves can actually live with themselves.

  3. Michael · 1120 days ago

    This is what makes me want to get into the AV and security business

    Got qualifications in computing but no experience so no one willing to try

    pain :(

  4. Johann · 1119 days ago

    You should really hire a better translator. The main point was more or less left in tact, but it reads like something that was run through Google translate. This type of translation may be fine for internal work, but it looks really bad in a public blog; especially to those of us fluent in both languages. Next time you need a quick and dirty translation, drop me a line and I'd be happy to help.

  5. Jack · 1119 days ago

    Maybe a group should be working to make a blackhole kit to use against only them! See how they like it. How about encrypting their data and have them buy Microsoft products!

  6. James · 1119 days ago

    While it may be viewed as a negative thing this sort of thing (stick approach) is really the only thing to make developers improve the security of their software. Customers don't see the value in security sadly unless they see others getting burnt. Same with safety in cars, etc.

  7. John · 1119 days ago

    Is it not possible to find the authors by following the money or the purchase paths?

  8. soltltym · 709 days ago

    I don't see any difference between a cybercriminal and a rapist or murderer. Both know what they are doing, and both know it is wrong. Why reward or admire a hacker for white collar crime by saying he is doing good by improving security, without rewarding the rapist by saying he is improving the detection of the crime? There is no difference. A criminal mind is a criminal mind, no matter what the crime, and should always be undesirable and punished appropriately.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.