Black Hole kitJust a couple of weeks after the source code for the Zeus crimeware kit turned up on the Web, the Black Hole exploit kit now appears to be available for download for free, as well. Black Hole normally sells for $1,500 for an annual license, and is one of the more powerful attack toolkits on the market right now.

The Black Hole exploit kit is somewhat newer and less well-known than attack toolkits such as Zeus and Eleonore, but it has been used by attackers for major Web-based attacks for the last few months. Researchers have found that thousands of URLs have been infected with Black Hole exploit code, which is then used to infect site visitors via drive-by downloads. Kits such as Black Hole and Zeus typically will sell for upwards of $1,000 for an annual license, and some of them also give buyers the option to add extra modules and exploits for additional fees.

Now, bargain-hunting attackers can avoid paying the high prices the Black Hole creators are charging for the kit and simply download it for free. Like the leak of the Zeus source code, the availability of Black Hole for free does not bode well for site owners and defenders. Sophisticated attack tools are becoming more and more prevalent and the ease of use that some of these toolkits have makes them usable for a much broader audience than was ever the case in the past, with many of them being basically point-and-shoot toolkits.

“If the ZeuS leak was like giving a machine gun for free, giving away
exploit kits is like providing the ammo. We will now see much more use
of those exploit and malware kits by less talented groups of cyber
criminals,” said Aviv Raff, CTO at security firm Seculert, who said he
has seen the freely available version of Black Hole, as well as other
similar kits.

The exploit kit can be found on some free file-sharing sites, but Raff said that the free version is not the most up-to-date one and likely doesn’t have the most current exploits in it. Black Hole, like other similar toolkits, includes exploits for a number of recent vulnerabilities and also has a feature that enables users to direct traffic from various sources to specific destinations whenever they choose.

“One highly
touted feature of BlackHole toolkit is its TDS or Traffic Direction
Script. While this is not an entirely new concept in attack toolkits the
TDS included her is much more sophisticated and powerful than those in
other kits. A TDS is basically an engine that allows redirection of
traffic through a set of rules. For example, a user can set up a set of
rules that redirect flow to different landing pages on their domain.
These rules could be based on operating system, browser, country of
origin, exploit, files, etc. One rule might redirect traffic to page A
for all users that are running Windows OS from XP to Vista and running
IE 8, while another rule can redirect Windows 7 users to page B,” the documentation for Black Hole 1.02 says, according to a post on an aggregation site called The Hacker News.

The advent of exploit kits such as Zeus, Eleonore and Black Hole have made like much easier for would-be attackers who don’t want to go through the actual effort of identifying vulnerable sites and developing exploits for the vulnerabilities. It’s also created a nice, profitable business for the developers behind the kits who are able to sell them at a premium, with some going for as much as $5,000 for a one-year license.

Categories: Malware, Web Security

Comments (3)

  1. Rob Ralston
    1

    Hello. What is the mechanism which is being exploited on these sites in order to infect them?

    From some other posts, it appears that malicious java script is being placed on the affected sites, but what is allowing this “kit” to place the malicious code on the sites?

    Thanks.

  2. Anonymous
    2

    People come on. You have GOT to be kidding! Where are the Feds on this issue? Their usual place with their heads up their ass!?!? And this column acts like this is an OK thing, or at least nothing unusual. This is why we have the problems on the internet llike we do. Viruses rampant, foriegn hackers thrying to gain access to our computers for any little bit of info to make a buck – HEY … I GOT AN IDEA. TRY WRITING SOFTWARE THAT ACTUALLY PERFORMS A BENEFIT TO EVERYONE RATHER THAN SCREWS WITH THEM!

  3. Anonymous
    3

    The MySQL website hack was done by injecting a script that generates an iFrame that redirects the visitors to a site where the Black Hole exploit pack is hosted.

Comments are closed.