The Latest in IT Security

A Quick Look at Some Updates to the Blackhole Exploit Kit

04
Oct
2013

[Our "exkit expert" returns, with his take on recent changes in BHEK. –C.L.]

Today I am looking at some of the updates that we have been seeing in the Blackhole Exploit Kit.

screenshot of BHEK infection-stats page

[BTW, the Russian labels in this chart of BHEK infection statistics translate as "OS, Hits, Hosts, Downloads". So, for example the lone Windows 95 user that wandered into their trap went down in flames, but one of the two Windows 98 users escaped their clutches somehow. (Dumb luck, maybe?). And Java continues to be the exkit maker's best friend… –C.L.]

Exploit kits are a quick and efficient way to exploit common vulnerable programs like Java and Adobe Acrobat, and then drop malware onto the victims' machines. The popularity of exploit kits is shown in the variety that have come out to compete for the market that Blackhole has held for a long time. We have seen many of these exploit kits explode onto the market only to slowly die out. Tortoise and the hare anyone?

image of tortoise and hare (as exkits)

Like any other technology-driven business, continual innovation is necessary to keep the business growing. Here are a few new features and business innovations we've seen from Blackhole.

Phishing Piggy-backers

Phishing has always been a social-engineering threat on the web. Usually we see the phishers operating on their own, but lately we have seen them piggy-backing on Blackhole exploit kit servers. [Are the BHEK gangs expanding into phishing? Renting out space to phishers? Or are the phishers simply choosing to license BHEK on their own? It doesn't really matter which scenario is most prevalent; the net effect is the same. –C.L.]

What if none of the exploits work?

What about the scenario (not uncommon, as the opening chart showed) where victims come across a site with an exploit kit, and they have no vulnerable software to exploit?

For example, currently, most exploit kits don't attempt to exploit you if you are running the Chrome browser. Chrome has some nice features, like its own version of Flash and PDF support, and click-to-play Java — these make life difficult for exploit kits.

Well, Blackhole has a solution for this: social engineering. If a Blackhole server detects that you're running Chrome, it just sends you to a fake "Chrome Update" page to trick you into downloading and running the final payload yourself:

screenshot of fake Chrome update

And lately, it's started to use the same trick for Internet Explorer:

screenshot of fake IE update

Just like the fake Chrome update, they want you to download the final payload yourself. (Zeus, in case you were wondering.)

Also, they lock up your browser until you download the payload:

screenshot of fake IE update page locking your browser

The dialog box won't go away, and you can't navigate away or close the browser tab until you download the payload.

Post-exploit Business Opportunities

What happens after you've been exploited? In the past, criminals were able to customize Blackhole to the specific attack they were launching, in order to avoid detection. For example if they were sending out "Amazon shipping package" spam with a link to a BHEK server, the kit would redirect you to Amazon.com after the exploit and payload download were complete. Insert any other popular website and we've seen it do the same. 

Now more scammers are piggy-backing on Blackhole servers. We've seen fake Canadian pharmacies, diet pills, etc. Now we have fat-burning green coffee beans:

screenshot of coffee bean scam site

Innovation keeps businesses alive and growing — legal or not. As we can see from the new content above, the Blackhole exploit kit may be around for a long time. 

–J.D.

Leave a reply


Categories

THURSDAY, NOVEMBER 14, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments