A technical paper by Fraser Howard, SophosLabs, UK
2.3.5 Traffic flow summary
To summarise this section, we can combine all the information from Sections 2.3.1 to 2.3.4 in order to detail the typical traffic flow observed when a user hits a Blackhole exploit kit. This is shown in Figure 10.
Figure 10: Example sequence of web traffic when a user browses a compromised web site (green) which loads content from a Blackhole exploit kit (red). In this example, no client PDF reader is installed, so no malicious PDFs are loaded from the exploit site.
The typical Sophos threat names used for the various components used by Blackhole are listed in Table 2.
Table 2: Typical Sophos threat names associated with components of Blackhole exploit kit.
In common with the injected redirection scripts and the landing page, the above content is all heavily obfuscated and polymorphic. The obfuscation methods used are discussed in more detail in Section 3.
The various URLs used for the different components of Blackhole have been described in this section. It is worth noting that the URL structure may well change with future updates to the kit. During the writing of this paper, evidence of this was apparent in some active exploit sites:
[removed] dot in/svs/ypbzcwdqyokvcm8.php?n=[removed] (landing page)
[removed] dot in/svs/esyvhqjldphwf.pdf (PDF)
[removed] dot in/svs/xpitiqesyqbsc.php (PDF)
[removed] dot in/svs/bshmimaresdt8.swf (SWF)
The detections seen for all components of this exploit kit matched that expected for Blackhole. Confirmation of whether this is a new version of the kit remains work in progress.