Exploring the Blackhole exploit kit

A technical paper by Fraser Howard, SophosLabs, UK

Table of contents

← Prev | Next →

4.5 Hosting on compromised web servers

Blackhole is not only hosted on fresh sites, registered solely for malicious purposes. Recently we have also seen legitimate sites getting compromised and used for hosting the exploit kit. The landing page is typically located within a folder named ‘Home’ or ‘Index’:

[removed]/Index/index.php

[removed]/Home/index.php

The additional file components used by Blackhole are located within this folder, with the same structure as described above (Section 2.3.3). For example, for Java, PDF and Flash content examples include:

[removed]/Home/content/jav2.jar

[removed]/Home/content/ap2.php?f=16

[removed]/Home/content/field.swf

The consistent location of the landing page (Home or Index folder) suggests that a single individual or group is responsible for this. We can only speculate as to whether or not this pool of Blackhole host sites is used for the rental.

Table of contents

← Prev | Next →

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s