Blackhole exploit kit gets upgraded to evade antivirus software

Equipped with a souped-up admin panel, Blackhole 2.0 has undergone a total code rewrite to better bypass defenses

The creators of the infamous Blackhole exploit kit have announced version 2.0 of the malware, claiming to have rewritten the code entirely from scratch so as to evade popular antivirus software. The kit includes noteworthy and nasty tricks, such as the use of short-term, random URLs for delivering exploits, but perhaps in recognition of the still-struggling global economy, the kit's creators aren't changing pricing.

According to Sophos, the Blackhole exploit kit is "the most popular drive-by malware we've seen recently.... It offers sophisticated techniques to generate malicious code. And it's very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious."

In the past few months alone, malicious hackers have used Blackhole to exploit an unpatched MSXML flaw; to exploit Java vulnerabilities; to infect users with fake AV (antivirus) programs via Twitter spam campaigns; and to distribute the GameOver Trojan via a fake U.S. Airways-themed email campaign.

The announcement about Blackhole 2.0 appeared on the Russian-language website Malware don't need Coffee. In it, the creators explain that AV companies have been very quick to recognize signs of Blackhole and flag it as malware, necessitating the need for a total code rewrite. Beyond bolstering the kit's payload delivery, the authors said they have made improvements to the admin panel.

One addition to the software is the use of short-term random URLs for delivering the exploits in the kit. According to Dennis Fisher at Threatpost, this feature is meant to overcome the problem of attempted SQL injection attacks being thwarted when a compromised page is detected or removed. According to Fisher, Blackhole's new random-domain generation feature is capable of "generating a new, random URL for the attacker's code to live on, sometimes with a shelf life of just a few seconds. This makes detection of malicious pages far more difficult for site owners and security companies. There's also a new feature that obfuscates the outgoing traffic from a compromised site, making it more difficult to identify."

Blackhole 2.0 also has been trimmed of old exploits that have since been fixed, replacing them with a new batch. Further, the creators have broadened the number of OSes the malware can recognize, adding to the list Windows 8 and unspecified mobile platforms, "giving the attacker the ability to break down the amount of traffic he's getting from machines running each individual OS," according to Fisher.

New to the admin panel is a menu item dubbed Software Version, which an attacker can use to determine which versions of Java or Acrobat Reader a compromised system is running. "It is very useful for evaluating the quality of traffic and to monitor the performance ... on the right version of the plug-in," according to the Google Translated announcement.

Through the admin panel, attackers also have greater control over blocking particular traffic, such as traffic with a referrer, as well as the ability to block particular referrers.

Per the announcement, the creators of Blackhole 2.0 haven't changed their pricing scheme: You can lease a server running a hosted version of the kit for $50 per day, $200 per week, or $500 per month. Alternatively, you can license the software for in-house usage at $700 for three months, $1,000 for six months, or $1,500 for a year.

This story, "Blackhole exploit kit gets upgraded to evade antivirus software," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies