Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Already using Google+? Find us on Google+ for the latest security news.
The past couple of weeks have been interesting times for anyone following the malicious Blackhole exploit kit that continues to dominate the charts.
Don't get me wrong, we expect changes and updates - the individuals behind the kit work tirelessly to try and evade security products. However, some of the recent changes are a little confusing to say the least!
One of the key aspects of the Blackhole exploit kit that we identified in previous research was the organised and coordinated nature of the kit. For example, as soon as a new obfuscation method was added, we would quickly see it in use, across the majority of exploit sites being tracked.
The release, in September 2012, of Blackhole exploit kit version 2 introduced several changes, but the coordinated 'rollout' of minor tweaks and modifications continued.
And so to recent developments that we have been observing. Firstly, let's start off with a quick recap of what we are seeing:
So what is going on? Why this sudden burst of diversity from Blackhole?
Or is this a new kit? Are some of these recent Blackhole changes actually not Blackhole at all, but some other kit?
As I have been putting together this post, I see that our colleagues at F-Secure are asking a similar question.
Several factors point to this being Blackhole (or at least very closely related - same codebase, potentially same authors).
obvious similarities in the function names, filenames, structure etc of the exploit siteincoming user traffic is using the same malicious script injections (Mal/Iframe-W redirects injected into legitimate web sites)URL structure used in the kit is consistent with Blackhole v2Personally I suspect these new 'flavours' of Blackhole are from the same group. However, there is one nagging doubt I have:
some of the new features could be considered retrograde steps for Blackhole. Why would they revert to using predictable content within the URLs?Whatever the case, we will continue to monitor these attacks closely, ensuring our reputation filtering and content detection technologies protect customers, regardless of the group behind them!
Landing page detections: Mal/ExpJS-N, Mal/ExpJS-AN, Mal/ExpJS-AVFlash content detections: Troj/SWFExp-AI, Troj/SWFExp-BEPDF detections: Troj/PDFJS-AAS, Troj/PDFEx-GXJava detections: Mal/JavaGen-A, Mal/JavaGen-C, Mal/JavaGen-EFollow @SophosLabsThanks to Gabor and Ferenc in Sophos's Budapest lab for their assistance in putting together the content for this article.
Black hole image from Shutterstock.
