A few days ago a new version of THE most common exploit kit wasreleased. Unlike most exploit kit authors, who try to keep a low profile, the authorof Blackhole publishes his work in Russian forums and even writes detailedinformation regarding his new product.
Figure1: Blackhole Exploit Kit v2 login panel
Notice, the login panel requires to enter a CAPTCHA to avoid automatic scanners that guess default passwords, this feature is not new in exploit kits, but definitely not common.
Let's review the important changes that have been made inBlackhole Exploit Kit v2 compared to the Blackhole Exploit Kit v1:
Basically, the author of Blackhole has put a lot of effort intoavoiding Anti-Viruses vendors' and Security Researchers' detection, and focusesless on new obfuscation techniques.
Let's compare the new variant of Blackhole Exploit Kit withthe old one:
Figure 2: Blackhole Exploit Kit v2 obfuscated code
The older version:
Figure 3: Blackhole Exploit Kit v1 obfuscated code
By comparing the code in the two screenshots above, we can seethat the core of the obfuscation algorithm is the same. First, the "try/catch" technique,second is some obfuscated code loaded from the DOM using "getElementsByTagName",and finally a set of basic math operations that opens the obfuscated code and executeit.
This is what the de-obfuscated code of Blackhole Exploit Kitv2 looks like:
Figure 4: Blackhole Exploit v2 de-obfuscated code
According to the screenshots above the new version ofBlackhole focuses on evasion techniques: For example, in the code above the PDFand the Jar files are loaded using a unique link that is generated specificallyfor the user and is valid only for a limited amount of time (definitely a painin the ass…). As for the filesthemselves, we will publish a technical analysis of the PDF and Jar exploitsserved by the new version of Blackhole in a later blog post.
Let's take a closer look at some more interesting stuffadded in the new version:
Figure 5: Blackhole Exploit Kit v2 control panel - Security section
This option allows the administrator to allow access to theexploit page only from specific referrers which can be configured using thecontrol panel. The administrator can also configure whether to block access tothe exploit when no referrer is present.
Blackhole exploit kit holds a list of 132,220 bot IPs which can beautomatically blocked by the engine. This way the exploit kit is not exposed toautomated security crawlers.
Figure 6: Bots List
This feature is really annoying. Blackhole ExploitKit v2 contains an IP list of ToR endpoint nodes, so if this flag is turned on,security researchers won't be able to use ToR for analysis.
Figure 7: ToR List
Upon installing the exploit kit a list of 2,147 ToR nodesare loaded into the database and are updated automatically.
This one is a really cool feature: once the attack campaignis over, the administrator can switch their blackhole exploit kit v2 into a "monitoringmode" of sorts. In this stage the exploit kit is not supposed to receive anytraffic, therefore, the exploit kit author assumes the incoming traffic belongsto security vendors. The IPs that are captured during that time are reportedback to Blackhole author and added to the list of bots.
Figure 8: IP collected list
These captured IPs inserted into the database and publishedto Blackhole customers.
Now let's view the new control panel settings:
Figure 9: Blackhole Exploit Kit v2 control panel - Preferences section
In this new version of Blackhole exploit kit, theadministrator can define when the engine will replace the current domain with anew one to avoid Anti-Virus detection. Using the "AntiVirus Check" feature, theexploit kit tests the URL of the exploitation page with underground Anti-Viruswebsites (VirTest and Scan4you). The administrator can control the change rateof the URL after it has been discovered by a certain number of Anti-Virusvendors.
"Threads" is pretty similar to older version of Blackhole,where the administrator can create multiple attacks with different viruses.
Figure 10: Blackhole Exploit Kit v2 control panel - Threads section
The significant feature added in this section is the"Traffic" feature. Unlike older version of the Blackhole Exploit Kit, the newversion serves the exploit only one time per IP address. The administrator canconfigure a webpage or a message to users that continue to access the servermore than once.
In conclusion, it is clear that this new generation ofBlackhole Exploit Kit puts a lot of effort into new evasion techniques that areaimed towards making the lives of security researchers as difficult as they canbe while taking the focus off obfuscation techniques, which used to be the maintheme in exploit kit updates in the past. .
Needless to say, customers of Trustwave Secure Web Gateway(SWG), version 10.1 and higher, are protected by default with no need for anyfurther update.
Thanks to my colleague Anat Davidi for her contribution tothis post.