A technical paper by Fraser Howard, SophosLabs, UK
4.2 Sites hosting Blackhole
As noted earlier, one of the differentiating features of Blackhole compared to other exploit kits lies in its rental strategy. I was interested in whether this was evident from the list of sites known to have been hosting this exploit kit. Figure 15 shows a breakdown of sites by TLD.
Figure 15: Breakdown of TLD or IP for sites hosting Blackhole exploit kit.
As you can see, Blackhole has been mostly seen on dot com, in, info and ru sites. Doing the same analysis for subsets of the data (e.g. just the last month) shows some differences, but the general breakdown remains similar with the same three TLDs dominating.
Given the investment in obfuscation tricks (Section 3), it is not surprising that the Blackhole host sites ‘move’ rapidly. Freshly registered domains are normally used to host the kit, and these are brought online quickly (within 24 hours).
Table 4: Some examples of fresh domains used to host Blackhole.
As you would expect, the useful lifetime of such domains is often very short; the hostnames failing to resolve after 24-72 hours. This is due to the use of a technique known as domain name flux, which is the term used to describe the process of continually allocating and updating multiple fully qualified domain names to the same IP address. Some examples are listed in Table 5. The technique is used to evade simplistic URL filtering defences.
Table 5: Examples of domain name flux as used in Blackhole hosting. Multiple domains registered all pointing to the same host IP.
This is why it is desirable for TDS servers (Section 2.3.1) to be used to bounce user traffic from compromised sites to the actual Blackhole site. This approach enables centralised control over the target domain, such that it can be changed frequently.