A technical paper by Fraser Howard, SophosLabs, UK
Over the last few years the volume of malware seen in the field has grown dramatically, thanks mostly to the use of automation and kits to facilitate its creation and distribution.
The term “crimeware” was coined specifically to describe the process of “automating cybercrime”.
Individuals no longer profit just from writing and distributing their malware. Today’s malware scene is highly organized, structured and professional in its approach.
There are many roles which criminally-minded individuals can fulfil. Take fake anti-virus (scareware) as an example; this class of malware is typically backed up by telephone support, professional quality GUI development and structured pay-per-install affiliate distribution systems.
Clearly this is a world away from the stereotypical image of a malware author from yesteryear.
Kits are an intrinsic part of crimeware. They provide not only the tools for criminals to create and distribute malware, but also the systems used to manage networks of infected machines.
Some of these kits focus on creation and management of the malware payload – Zeus is perhaps the best example of this.
Other kits focus on controlling user web traffic, for example the Search Engine Optimisation (SEO) kits.
A third class of kit are those that focus on infecting users through web attacks, specifically attacks known as drive-by downloads.
It is this latter group of kits that are commonly referred to as exploit kits or exploit packs (the terms are used interchangeably).
In this paper I am going to describe an exploit kit known as Blackhole, which due to its prevalence over the past year has become the most notorious of all the exploit kits today.