Recently, we have seen an increase in Blackhole exploit kit attacks. Blackhole is yet another web exploit kit developed by Russian hackers. According to one forum, the author indicates that the kit will cost $1,500 annually, $1,000 for a half-year and $700 for 3 months. It is a very powerful kit with a number of recent exploits including Java and Adobe PDF exploits. The attacker has continually improved the kit with more obfuscation and crypto algorithms to avoid the detection by AV vendors. One of the lines from description of the kit says it all - “Exploits crypt on special algorithms that make it impossible to code analysis and detection of anti-virus as well as services,Tipo wepawet and other counterparts ...”. Analysis of this malicious toolkit showed that URL patterns remain the same for most of the malicious domains hosting the Blackhole exploit kit. A Google search for the URL patterns returns thousands of results for such domains and Google does generally flag them as malicious domains. Here is the screenshot of Google search:
The above code will append the malicious Iframe to the body of the webpage, which points to another malicious URL. The above malicious URL contains yet another malicious URL in an ASX file format. This is intentionally done to avoid a user prompt. Here is the source,
We have seen many similar web exploits kits in the past and attackers are coming up with new ones like Blackhole with more features and reliable and undetectable exploits all the time. We are also seeing large number of malicious domains hosting Blackhole exploits kit. The detection ratio is generally very poor for malicious binaries contained in the kits. Even though the price of this exploit kit is high, it remains a sought after commodity.