Black Hole Exploit Kit 2.0 Released

ID THREATPOST:13EC97D6E386E32535FB4E6CB3432778
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:31:35


The developer behind the notorious Black Hole exploit kit has released a new version of the software, adding in several new features designed to prevent security researchers from getting access to new exploits or reverse-engineering the kit’s inner workings. Conveniently, the pricing for Black Hole has stayed the same, so hackers get more value for the same amount of money.

Black Hole is one of a number of readily available exploit kits distributed in the cybercrime underground that make it simple for attackers of all skill levels to exploit a wide variety of vulnerabilities. With a few mouse clicks, users can pick out a specific exploit, say the recently disclosed CVE-2012-1723 Java vulnerability, and begin compromising vulnerable browsers. The kit has been around for some time, as have similar kits such as the Phoenix exploit kit and Eleonore, and the trend of late has been that exploit code for newly discovered bugs is being added more and more quickly to Black Hole.

The new Black Hole version 2.0 release was announced recently on underground site Exploit.In, and the list of new features and functionality is extensive. One addition to the main Black Hole software is the use of short-term random URLs for delivering the exploits in the kit. Attackers often will compromise legitimate Web sites via SQL injeciton or some other common method and load their malicious code on the sites and rig it to attack users’ browsers with specific exploits as they hit the site. One problem with this technique from the attacker’s point of view is that if the compromised page is detected or removed for some other reason, the attack dies.

Enter random domain generation. This feature will generate a new, random URL for the attacker’s code to live on, sometimes with a shelf life of just a few seconds. This makes detection of malicious pages far more difficult for site owners and security companies. There’s also a new feature that obfuscates the outgoing traffic from a compromised site, making it more difficult to identify.

Black Hole 2.0 also removes all of the old exploits for vulnerabilities that have been fixed–even though those can still be useful against many users–and includes a new batch of exploits. The new release also includes the ability to recognize more types of operating systems, including Windows 8 and several mobile operating systems, giving the attacker the ability to break down the amount of traffic he’s getting from machines running each individual OS.

“To the list of operating systems added to Win 8, and mobile devices, in order to see how much of your traffic is mobile, and mobile traffic, you can redirect to the appropriate affiliate,” a translated version of the original Russian announcement says. The announcement was posted on the Malware Don’t Need Coffee site on Wednesday.

All of this functionality doesn’t come for free, of course, but the prices for various iterations of Black Hole have stayed the same as they were for version 1.0. So an attacker wanting to rent an instance of Black Hole from the author’s server will pay $50 per day, up to 50,000 hits. A monthly rental will run you $500 with a limit of 70,000 hits per day. A one-year license for unlimited domains is $1,500.

This article was updated on Sept. 12 to correct the source of the Black Hole 2.0 announcement and details about the domain-generation algorithm.