Technical paper: Journey inside the Blackhole exploit kit

Filed Under: Featured, Malware, SophosLabs, Vulnerability

Plug hole. Image from ShutterstockOne of the most common questions we receive at SophosLabs is "How are users most likely to get infected with malware?".

As regulars readers will be aware, the answer is through the web. More specifically, computers are most likely to be infected through compromised legitimate websites redirecting user traffic to malicious websites that are hosting some exploit kit.

The most active of these exploit kits in recent times is one known as Blackhole.

Properly understanding how the Blackhole exploit kit works and why it has become the most popular of the various exploit kits available is important in order to provide the best protection to our customers.

Previous research focused on early versions of the Blackhole exploit kit, and the tricks used by the attackers in evading detection.

More recently, SophosLabs expert Gabor Szappanos has been delving deeper into the internal workings of the Blackhole exploit kit, to get a more thorough understanding of how it works.

Gabor's technical paper, entitled "Inside a Black hole", is now available, and I would encourage all readers to download it and learn more about the Blackhole exploit kit.

Read now: "Inside a Black Hole"

Plug hole image from Shutterstock.

, , ,

You might like

9 Responses to Technical paper: Journey inside the Blackhole exploit kit

  1. macgyver826 · 1041 days ago

    At the risk of being tacky I would point out that one of the best ways to avoid infection is to avoid downloading anything you don't have to.

    Unless this article has a word count like a Steven King novel it should have been posted to a page where it could be read and not require a download.

    Of course I trust this website; that's not the issue. I would point out also that after I had logged into to be able to comment, an outfit named IntenseDebate (your comment software) wanted my name and password.

    I proved my trust of this site by giving it to them, but that was a no-no as well. I don't know who the heck IntenseDebate is, and as such didn't appreciate having to give them personal info from another site account just to comment here.

    Your site's strive for security should not make me compromise my personal standards for my own, jus' sayin'...

    • Intense Debate is part of the empire, owned by the same company.

    • Koios53a · 1039 days ago

      Your ignorance is showing.

      The Blackhole exploit kit works by infecting machines that visit a compromised webpage and throwing a bunch of exploits at the browser. No user interaction required. Most are infected when a trusted site is compromised and an iframe to a second server is placed in the HTML.

      And if you don't want to give over your username/password for WordPress, why didn't you use the Guest posting function?

  2. rogparish · 1039 days ago

    Your web server is obviously not configured to correctly describe the attributes of the PDF file to the browser, otherwise it would have opened in the browser instead of being downloaded as a file.

  3. Mark · 1029 days ago

    awesome paper! I am amazed at the level of analysis used to track down clues

  4. Kelly V. Barnett · 1029 days ago

    Respectfully @ rogparish

    How many people know what you are talking about let alone know how to configure anything on their computer?

  5. awesome paper! I am amazed at the level of analysis used to track down clues

  6. sophos user · 785 days ago

    The link to appears to be broken. I get a general page. I came here after "Sophos Endpoint Security and Control" blocked a site.

    • markstockley · 784 days ago

      Thanks for letting us know - the link has been restored.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.