Blackhole 2.0 Hits the Net with New ExploitsWritten by Malcolm James on September 19, 2012
Autumn is in the air. The nights are crisp and cold and mornings bright and frigid, sure signs that the best of summer is behind us. And as fall begins to descend upon the tiny hamlet I call home, I’m given to wonder what the last two quarters of this year will bring to the world of spam and Internet security. As it turns out, I already have my first answer, as news exploded on the Interwebs this week: Blackhole is back in a new iteration, version 2.0, and like any full version upgrade, it packs a punch.
Perhaps you’ve been living off-world or hiding under a rock from the spate of spam that confounds your inboxes, so let me fill you in: the Blackhole exploit kit, written on a PHP and MySQL back-end, was first noticed in 2010 and quickly became the most pervasive security threat lurking around the Web today. Developed somewhere in Russia by a user who goes by the handle Paunch, the kit sells for a $1500 yearly license and exploits security flaws most commonly found on the Windows operating system, in other words, 90 percent of the world.
Worst of all, the exploit kit is designed for the DIY-minded hackers, that is, you don’t have to be a hackxtraordinaire to use the thing, a feature that has made the exploit kit a popular item on warez sites and among script kiddies. As this HotHardware.com article points out, Kaspersky Labs has posed a rather eerie warning about Blackhole: HotHardware points out that Kaspersky has acknowledged that “pretty much any backwoods hackabilly can wield Black Hole like a pro and wreak havoc with just a few mouse clicks.”
So, what could be worse than an exploit kit that every wannabe cybercriminal wants to use, because it’s just that easy? Version 2.0, of course. According to this Russian language press release on Pastebin (translated here), the new version has been rewritten from scratch, and offers a number of ‘improvements’ over previous versions. According to Help Net Security, These include:
- Dynamic [i.e., random] URL generation in order to foil the automatic systems for downloading exploits used by security researchers
- The removal of exploits for “old” vulnerabilities [e.g., Flash exploits, which haven't been very successful in the past], and the inclusion of three different exploit packs – one including Java exploits, the second exploits for the Adobe PDF LibTiff vulnerability (CVE-2010-0188), and the third for Internet Explorer’s Microsoft Data Access Components flaw (CVE-2006-5559) – a rather old vulnerability that still gets taken advantage of because of unpatched IE6 browsers
- Links can get renamed to human readable format (for example/news/index.php) instead of kept in the obviously suspicious format that includes a slew of random characters (for example/Main.php?Varname=lgjlrewgjlrwbnvl2)
- JAR and PDF exploits run only if vulnerable versions of plug-ins are detected, so they don’t trigger detection by antivirus package unnecessarily
- A new administration panel with a considerable number of new options
Despite all the new features, the exploit kit still sells for $1500 for an annual license, or, like previous versions, it can be ‘rented’ from the author’s servers for $50 per day (up to 50,000 hits per day), or for $500 per month (up to 70,000 hits per day).
Help Net Security points out that some recently detected attacks, such as an “FDIC notification claiming the users’ wire transfer ability was suspended, and…a bogus thank you note that tries to trick the recipients into believing that they have somehow signed up for a premium service of accountingWEB.com” use different landing pages but appear to be early uses of Blackhole 2.0.
ArsTechnica points out “a number of enhancements in the administrative panel for the tool. A BlackHole 2.0 user can now configure an attack server with multiple domains, and have it switch the URLs it uses for attacks between them. It can also automatically switch from one domain to another when the first gets blacklisted by antivirus software reputation databases.”
If interested, you can surf on over to Malware Don’t Need Coffee to see what a Blackhole 2.0 exploit looks like. It’s scary stuff. Random domain generation, Kaspersky points out via Hot Hardware:
“Will generate a new, random URL for the attacker’s code to live on, sometimes with a shelf life of just a few seconds. This makes detection of malicious pages far more difficult for site owners and security companies.”
So, how do you protect your network? Brush up on user education. Familiarize yourself with Blackhole 2.0. And pray this is the worst we’ll see for a while.