Google’s Chrome browser is something of a tough customer for the infamous and widely deployed Blackhole Exploit Kit, according to Blue Coat security researcher, Adnan Shukor.
Shukor notes there has been an uptick in the kit’s use of plain HTML files, instead of iframes, to redirect users to exploit pages. While the malicious HTML file is loading, users are presented with some sort of loading, waiting, or connecting to server message before they get redirected to the compromised site.
After the redirect, a script kicks in to check the user agent string and identify the browser. If the browser is detected as Internet Explorer or Firefox, then Blackhole executes its normal payload, attempting to exploit any number of Reader, Java, or Internet Explorer vulnerabilities. However, if a user is operating on the Chrome browser, a second redirect takes place, leading that user to fake Chrome update installer that they must agree to download.
Shukor claims the disparity in the way Blackhole exploits Chrome and its method for other browsers likely has to do with Chrome’s rendering of PDF files in its non-Adobe PDF reader and a feature that requires user permission before running Java applets.
The Blackhole Exploit Kit has been around for years and shows no signs of slowing down. It got an upgrade back in September that added a number of new features that make it harder for researchers to access and reverse-engineer the kit, to URL randomization that makes tracking down compromised sites nearly impossible, to replacing old, less effective exploits with new ones, less likely to be patched on user-machines.
Not a week, it seems, goes by where you don’t read some story about some new iteration or use of the kit, whether it’s spoofing some payroll confirmation email or masquerading as a Facebook alert.