New version of Blackhole exploit kit

Yesterday there were reports of an announcement that a new version (v2.x no less) of Blackhole exploit kit is on its way.

Blackhole is arguably the most successful exploit kit we have seen over the past couple of years, and we have described it in detail before (v1.x). The opening paragraph sets out what appears to be the main aim of the new version – improve how well they evade security measures:

Are pleased to welcome you to a brand new version of the bundle of exploits. For more than 2 years of existence of our project, the old engine arrival and ligaments badly worn, AV companies have become very quick to recognize that this kind of criteria BlackHole and flag it as malware.

Further down in the announcement are several interesting claims, some of which are summarised below:

  • prevent direct download of executable payloads
  • only load exploit contents when client is considered vulnerable
  • drop use of PluginDetect library (performance justification)
  • remove some old exploits (leaving Java atomic & byte, PDF LibTIFF, MDAC)
  • change from predictable url structure (filenames and querystring parameter names)

Good to see that we are seen to not be sleeping 🙂

Developed and implemented a lot more features about which bragging and shouting in public is simply not reasonable, because competition and the AV companies do not nap.

The announcement also talks about improvements made to the admin interface. This is important – the author’s business is marketing this exploit kit against others on the market. As you can see, improvements include several things designed to make it harder for researchers to harvest content from the exploit sites:

  • update machine stats to include Windows 8 and mobile devices
  • better breakdown of plug-in version information
  • improved checking of referrer
  • block TOR traffic

Information about the pricing of the new version is also provided.

Rent on our server:
-Day rental - $ 50 (limit traffic 50k hits)
-Week rental - $ 200 (limit traffic 70k hits a day)
-Month rental - $ 500 (limit traffic 70k hits a day)
if needed, traffic limit can be raised for the additional fee

The license for your server:
-License for 3 months $ 700
-The license for six months $ 1,000
License for 1 year $ 1500

multidomain bundle version - $ 200 one-time fee for the duration of the license (not binding to the domain and the ip)
change of the domain on the standard bundle version - $ 20
change ip for multidomain bundle version - $ 50
a one-time cleaning - $ 50
auto-updates for a month - $ 300 (auto-update, as soon as your cryptor is identified)

So, fun times ahead it would appear. Watch this space for an update when we actually start seeing this new version of the kit in use.

Thanks to Anna S for assistance in translating portions of the text.