A few days ago a new version of THE most common exploit kit was released. Unlike most exploit kit authors, who try to keep a low profile, the author of Blackhole publishes his work in Russian forums and even writes detailed information regarding his new product.
Notice, the login panel requires to enter a CAPTCHA to avoid automatic scanners that guess default passwords, this feature is not new in exploit kits, but definitely not common.
Let’s review the important changes that have been made in Blackhole Exploit Kit v2 compared to the Blackhole Exploit Kit v1:
Basically, the author of Blackhole has put a lot of effort into avoiding Anti-Viruses vendors’ and Security Researchers’ detection, and focuses less on new obfuscation techniques.
Let’s compare the new variant of Blackhole Exploit Kit with the old one:
The older version:
By comparing the code in the two screenshots above, we can see that the core of the obfuscation algorithm is the same. First, the “try/catch” technique, second is some obfuscated code loaded from the DOM using “getElementsByTagName”, and finally a set of basic math operations that opens the obfuscated code and execute it.
This is what the de-obfuscated code of Blackhole Exploit Kit v2 looks like:
According to the screenshots above the new version of Blackhole focuses on evasion techniques: For example, in the code above the PDF and the Jar files are loaded using a unique link that is generated specifically for the user and is valid only for a limited amount of time (definitely a pain in the ass…). As for the files themselves, we will publish a technical analysis of the PDF and Jar exploits served by the new version of Blackhole in a later blog post.
Let’s take a closer look at some more interesting stuff added in the new version:
This option allows the administrator to allow access to the exploit page only from specific referrers which can be configured using the control panel. The administrator can also configure whether to block access to the exploit when no referrer is present.
Blackhole exploit kit holds a list of 132,220 bot IPs which can be automatically blocked by the engine. This way the exploit kit is not exposed to automated security crawlers.
This feature is really annoying. Blackhole Exploit Kit v2 contains an IP list of ToR endpoint nodes, so if this flag is turned on, security researchers won’t be able to use ToR for analysis.
Upon installing the exploit kit a list of 2,147 ToR nodes are loaded into the database and are updated automatically.
This one is a really cool feature: once the attack campaign is over, the administrator can switch their blackhole exploit kit v2 into a “monitoring mode” of sorts. In this stage the exploit kit is not supposed to receive any traffic, therefore, the exploit kit author assumes the incoming traffic belongs to security vendors. The IPs that are captured during that time are reported back to Blackhole author and added to the list of bots.
These captured IPs inserted into the database and published to Blackhole customers.
Now let’s view the new control panel settings:
In this new version of Blackhole exploit kit, the administrator can define when the engine will replace the current domain with a new one to avoid Anti-Virus detection. Using the “AntiVirus Check” feature, the exploit kit tests the URL of the exploitation page with underground Anti-Virus websites (VirTest and Scan4you). The administrator can control the change rate of the URL after it has been discovered by a certain number of Anti-Virus vendors.
“Threads” is pretty similar to older version of Blackhole, where the administrator can create multiple attacks with different viruses.
The significant feature added in this section is the “Traffic” feature. Unlike older version of the Blackhole Exploit Kit, the new version serves the exploit only one time per IP address. The administrator can configure a webpage or a message to users that continue to access the server more than once.
In conclusion, it is clear that this new generation of Blackhole Exploit Kit puts a lot of effort into new evasion techniques that are aimed towards making the lives of security researchers as difficult as they can be while taking the focus off obfuscation techniques, which used to be the main theme in exploit kit updates in the past. .
Needless to say, customers of Trustwave Secure Web Gateway (SWG), version 10.1 and higher, are protected by default with no need for any further update.
Thanks to my colleague Anat Davidi for her contribution to this post.