Sophos Cloud Optix
A technical paper by Fraser Howard, SophosLabs, UK
2.3.4 Payload
Of course, the whole purpose of Blackhole is to infect victims with some payload. The payload delivered will vary according to the individual(s) paying for the exploit kit. The executable payload will be delivered from URLs with this recognisable format:
[removed]/w.php?f=b6863&e=0
[removed]/w.php?f=19&e=1
In common with all exploit kits, the query string (specifically the ‘e’ parameter) enables the kit to track exactly which vulnerability was responsible for causing the user to download the payload. This is important, since it allows the attackers to measure which exploits are most effective against different combinations of browser and plug-in versions, on different operating systems.
The payloads are typically polymorphic, packed with custom encryption tools designed to evade anti-virus detection (a process which is helped with the built-in AV checking functionality of Blackhole).
Most of the notorious families that we have seen over the past year have at some point been installed via Blackhole exploit kits. The most prevalent payloads from the past few months include: