A technical paper by Fraser Howard, SophosLabs, UK
4.5 Hosting on compromised web servers
Blackhole is not only hosted on fresh sites, registered solely for malicious purposes. Recently we have also seen legitimate sites getting compromised and used for hosting the exploit kit. The landing page is typically located within a folder named ‘Home’ or ‘Index’:
The additional file components used by Blackhole are located within this folder, with the same structure as described above (Section 2.3.3). For example, for Java, PDF and Flash content examples include:
The consistent location of the landing page (Home or Index folder) suggests that a single individual or group is responsible for this. We can only speculate as to whether or not this pool of Blackhole host sites is used for the rental.