[Our "exkit expert" returns, with his take on recent changes in BHEK. –C.L.]
Today I am looking at some of the updates that we have been seeing in the Blackhole Exploit Kit.
[BTW, the Russian labels in this chart of BHEK infection statistics translate as "OS, Hits, Hosts, Downloads". So, for example the lone Windows 95 user that wandered into their trap went down in flames, but one of the two Windows 98 users escaped their clutches somehow. (Dumb luck, maybe?). And Java continues to be the exkit maker's best friend… –C.L.]
Exploit kits are a quick and efficient way to exploit common vulnerable programs like Java and Adobe Acrobat, and then drop malware onto the victims' machines. The popularity of exploit kits is shown in the variety that have come out to compete for the market that Blackhole has held for a long time. We have seen many of these exploit kits explode onto the market only to slowly die out. Tortoise and the hare anyone?
Like any other technology-driven business, continual innovation is necessary to keep the business growing. Here are a few new features and business innovations we've seen from Blackhole.
Phishing Piggy-backers
Phishing has always been a social-engineering threat on the web. Usually we see the phishers operating on their own, but lately we have seen them piggy-backing on Blackhole exploit kit servers. [Are the BHEK gangs expanding into phishing? Renting out space to phishers? Or are the phishers simply choosing to license BHEK on their own? It doesn't really matter which scenario is most prevalent; the net effect is the same. –C.L.]
What if none of the exploits work?
What about the scenario (not uncommon, as the opening chart showed) where victims come across a site with an exploit kit, and they have no vulnerable software to exploit?
For example, currently, most exploit kits don't attempt to exploit you if you are running the Chrome browser. Chrome has some nice features, like its own version of Flash and PDF support, and click-to-play Java — these make life difficult for exploit kits.
Well, Blackhole has a solution for this: social engineering. If a Blackhole server detects that you're running Chrome, it just sends you to a fake "Chrome Update" page to trick you into downloading and running the final payload yourself:
And lately, it's started to use the same trick for Internet Explorer:
Just like the fake Chrome update, they want you to download the final payload yourself. (Zeus, in case you were wondering.)
Also, they lock up your browser until you download the payload:
The dialog box won't go away, and you can't navigate away or close the browser tab until you download the payload.
Post-exploit Business Opportunities
What happens after you've been exploited? In the past, criminals were able to customize Blackhole to the specific attack they were launching, in order to avoid detection. For example if they were sending out "Amazon shipping package" spam with a link to a BHEK server, the kit would redirect you to Amazon.com after the exploit and payload download were complete. Insert any other popular website and we've seen it do the same.
Now more scammers are piggy-backing on Blackhole servers. We've seen fake Canadian pharmacies, diet pills, etc. Now we have fat-burning green coffee beans:
Innovation keeps businesses alive and growing — legal or not. As we can see from the new content above, the Blackhole exploit kit may be around for a long time.
–J.D.
Leave a reply