A few days ago a new version of THE most common exploit kit was released. Unlike most exploit kit authors, who try to keep a low profile, the author of Blackhole publishes his work in Russian forums and even writes detailed information regarding his new product.
Figure 1: Blackhole Exploit Kit v2 login panel
Notice, the login panel requires to enter a CAPTCHA to avoid automatic scanners that guess default passwords, this feature is not new in exploit kits, but definitely not common.
Let's review the important changes that have been made in Blackhole Exploit Kit v2 compared to the Blackhole Exploit Kit v1:
Basically, the author of Blackhole has put a lot of effort into avoiding Anti-Viruses vendors' and Security Researchers' detection, and focuses less on new obfuscation techniques.
Let's compare the new variant of Blackhole Exploit Kit with the old one:
Figure 2: Blackhole Exploit Kit v2 obfuscated code
The older version:
Figure 3: Blackhole Exploit Kit v1 obfuscated code
By comparing the code in the two screenshots above, we can see that the core of the obfuscation algorithm is the same. First, the "try/catch" technique,second is some obfuscated code loaded from the DOM using "getElementsByTagName",and finally a set of basic math operations that opens the obfuscated code and executeit.
This is what the de-obfuscated code of Blackhole Exploit Kitv2 looks like:
Figure 4: Blackhole Exploit v2 de-obfuscated code
According to the screenshots above the new version of Blackhole focuses on evasion techniques: For example, in the code above the PDF and the Jar files are loaded using a unique link that is generated specifically for the user and is valid only for a limited amount of time (definitely a pain in the ass…). As for the files them selves, we will publish a technical analysis of the PDF and Jar exploits served by the new version of Blackhole in a later blog post.
Let's take a closer look at some more interesting stuffadded in the new version:
Figure 5: Blackhole Exploit Kit v2 control panel - Security section
Referrers
This option allows the administrator to allow access to theexploit page only from specific referrers which can be configured using thecontrol panel. The administrator can also configure whether to block access tothe exploit when no referrer is present.
Bot List
Blackhole exploit kit holds a list of 132,220 bot IPs which can beautomatically blocked by the engine. This way the exploit kit is not exposed toautomated security crawlers.
Figure 6: Bots List
ToR List
This feature is really annoying. Blackhole ExploitKit v2 contains an IP list of ToR endpoint nodes, so if this flag is turned on, security researchers won't be able to use ToR for analysis.
Figure 7: ToR List
Upon installing the exploit kit a list of 2,147 ToR nodes are loaded into the database and are updated automatically.
Recording Mode
This one is a really cool feature: once the attack campaigns over, the administrator can switch their blackhole exploit kit v2 into a "monitoring mode" of sorts. In this stage the exploit kit is not supposed to receive any traffic, therefore, the exploit kit author assumes the incoming traffic belongs to security vendors. The IPs that are captured during that time are reported back to Blackhole author and added to the list of bots.
Figure 8: IP collected list
These captured IPs inserted into the database and published to Blackhole customers.
Now let's view the new control panel settings:
Figure 9: Blackhole Exploit Kit v2 control panel - Preferences section
In this new version of Blackhole exploit kit, the administrator can define when the engine will replace the current domain with anew one to avoid Anti-Virus detection. Using the "Antivirus Check" feature, the exploit kit tests the URL of the exploitation page with underground Anti-Virus websites (Vir Test and Scan4you). The administrator can control the change rate of the URL after it has been discovered by a certain number of Anti-Virus vendors.
"Threads" is pretty similar to older version of Blackhole,where the administrator can create multiple attacks with different viruses.
Figure 10: Blackhole Exploit Kit v2 control panel - Threads section
The significant feature added in this section is the "Traffic" feature. Unlike older version of the Blackhole Exploit Kit, the new version serves the exploit only one time per IP address. The administrator can configure a webpage or a message to users that continue to access the server more than once.
In conclusion, it is clear that this new generation of Blackhole Exploit Kit puts a lot of effort into new evasion techniques that are aimed towards making the lives of security researchers as difficult as they can be while taking the focus off obfuscation techniques, which used to be the main theme in exploit kit updates in the past. .
Needless to say, customers of Trustwave Secure Web Gateway(SWG), version 10.1 and higher, are protected by default with no need for anyfurther update.
Thanks to my colleague Anat Davidi for her contribution tothis post.
