A technical paper by Fraser Howard, SophosLabs, UK
2 Blackhole Exploit Kit
2.1 General characteristics
There are several versions of Blackhole exploit kit, the first being v1.0.0 (released in late 2010), and most recent being v1.2.2 (released February 2012). The kit consists of a series of PHP scripts designed to run on a web server. The PHP scripts are all protected with the commercial ionCube encoder. This is presumably to help prevent other miscreants stealing their code (there are many exploit kits out there which are little more than copies of others!), and to hinder analysis. The result of script encoding is obvious in Figure 1, which shows a snippet of a protected PHP script from a Blackhole exploit kit.
Figure 1: The effect of ionCube encoding on one of the Blackhole exploit kit PHP scripts.
As you would expect, there is significant overlap between the functionality of the various exploit kits available. The general characteristics of the Blackhole exploit kit are listed below and as you can see, a lot of this could equally apply to several other kits:
- The kit is Russian in origin
- Configuration options for all the usual parameters:
- Querystring parameters
- File paths (for payloads, exploit components)
- Redirect URLs
- Usernames, passwords
- MySQL backend
- Only hit any IP once
- Maintain IP blacklist
- Blacklist by referrer URL
- Import blacklisted ranges
- Auto update
- Management console provides statistical summary, breaking down successful infections by:
- Affiliate/partner (responsible for directing user traffic to the exploit kit)
- Targets a variety of client vulnerabilities
- AV scanning add-ons (through the use of two scanning services, available as optional extras of course, this is business!)
However, there are some features that are (or were at first release) unique to Blackhole:
- “Rental” business model. Historically, exploit kits are commodities that are sold for individuals to then use as they desire. However, Blackhole includes a rental strategy, where individuals pay for the use of the hosted exploit kit for some period of time. The kit is not exclusively rental only, other licenses are also available. Figure 2 illustrates the pricing model (translated) for the first release of Blackhole.
Figure 2: Snippet of readme text illustrating the pricing model for Blackhole v1.0.0 (translated from Russian)
- Management console optimised for use with PDAs!
The rental business model, the use of PHP script protection and the locking of installation scripts to specific IPs all suggest that the individual(s) behind Blackhole are keen to retain control of the kit. The ramifications of this centralised control over the active Blackhole exploit kits is evident in some of the statistics we have collected over the past year (see Section 4).