A technical paper by Fraser Howard, SophosLabs, UK
5 Discussion and conclusions
In this paper the Blackhole exploit kit has been described in detail. The paper has covered the general characteristics of the kit, revealing what techniques its authors use to retain control over how it is used. The various files used to exploit client vulnerabilities and infect victims with malware have been described. Such information is critical to those looking to secure their systems against this type of threat (through patching and control of legitimate applications).
During this research, I have been interested in the reasons why Blackhole has grown into the most prolific and successful exploit kit in use today. The fundamental job of exploit kits is to provide a service for individuals wanting to infect users with malware. Quite simply, the most successful kit will be the one that best achieves this goal. The key factors that differentiate between exploit kits include:
- Traffic. How much user traffic is redirected to the exploit kit is fundamental to its success.
- Evasion of detection. A kit that is easily blocked through content URL filtering, IDS and content detection will fail.
- Business model. Exploit kits are a service in a competitive market. A popular kit will be one that is competitively priced, with a sound business model.
The authors of the kit have taken care to retain control of it; the scripts are encoded to prevent others copying the code and the business model includes a rental option, where individuals pay for a hosted service. The content used by Blackhole is aggressively obfuscated and extremely polymorphic. Integrated anti-virus scanning services are clearly used to great effect. From a file content perspective, updates to Blackhole (and the redirects used to control web traffic) appear to be very well coordinated. In this paper, I speculate that this is due to the centralised control that the authors have over the kit.
Given the efforts taken by Blackhole to evade detection, it is perhaps surprising that some aspects of the kit (e.g. URL paths, filenames, query string structure) have remained largely stagnant. As noted earlier in this paper, this is something that is likely to change (if it hasn’t already).
In conclusion, over the past 12-18 months we have seen Blackhole become the most prevalent and notorious of the exploit kits used to infect people with malware. Some of the tricks and techniques used are likely to shape what we see in competing kits in the future. However, could the centralised approach used to maintain control over Blackhole also prove to be its Achilles heel? Might this facilitate law enforcement being able to shut down the entire operation? Based on the facts presented in this paper, I think it is fair to suggest that without legal intervention Blackhole will continue to be one of the main routes by which users are infected with malware.