Schneier on Security
A blog covering security and security technology.
« New Siemens SCADA Vulnerabilities Kept Secret |
| Black Box Records in Automobiles »
May 25, 2011
Blackhole Exploit Kit
It's now available as a free download:
A free version of the Blackhole exploit kit has appeared online in a development that radically reduces the entry-level costs of getting into cybercrime.
The Blackhole exploit kit, which up until now would cost around $1,500 for an annual licence, creates a handy way to plant malicious scripts on compromised websites. Surfers visiting legitimate sites can be redirected using these scripts to scareware portals on sites designed to exploit browser vulnerabilities in order to distribute banking Trojans, such as those created from the ZeuS toolkit.
Posted on May 25, 2011 at 11:55 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Hmmmm, a free download from a criminal malware company? What could *possibly* go wrong with that?
Not really..."The exploit kit can be found on some free file-sharing sites, but Raff said that the free version is not the most up-to-date one and likely doesn't have the most current exploits in it."
In other words, he hasn't really examined the so-called "free kits", the blackhole leaks are fairly irrelevant portions of old releases and they aren't fully working when one tries to install them. So they don't provide any entry level access to a market. "Free" is a poor descriptor for leaked portions of an incomplete code package that won't really work. But when spun, it makes for an attention grabbing headline and some valuable recognition for his company!
I'm not sure it's safe to click ANYTHING on this page!
Oh yeah, this analogy makes no sense: "If the ZeuS leak was like giving a machine gun for free, giving away exploit kits is like providing the ammo."
Let's see, Zeus is the payload that steals victim information (which is the goal here), and the exploit kits are the method of delivery. So the analogy is backwards - giving away the kit is giving away the grenade launcher, giving away zeus is giving away the grenade. But it's not a destructive payload, so that's a lame analogy too.
I heard they released it under GPL. So if you install a rootkit on someone's system, you have to send them the source code.
Am I the only one looking forward to the Google Chromebook to shield me from this sort of stuff?
I'm more concerned about new rootkits which target PCI devices, such as the graphics card and the optical drives, also, BIOS. Where are the malware scanners which scan PCI devices and BIOS for mismatches? All firmware, BIOS and on PCI devices should be checksummed and saved to match with others in the cloud, and archived when the computer is first used, backing up signed firmware.
When do you recall seeing signed router firmware upgrades with any type of checksum to check against? Same for PCI devices and optical drives and BIOS.
Some have begun with BIOS security:
Some BIOS has write protection in its configuration, a lot of newer computers don't.
> which up until now would cost around
> $1,500 for an annual licence,
Instead of paying the $1,500, I always used a pirated copy.
How is this new? There have always been warez sites where bad guys posted malware for anyone to use.
Didn't they expect that sooner or later, the owner of a fully-functional, paid-for copy would reverse-engineer it, and offer it more cheaply, or for free?
@ Richard Schwartz: No, right link. "Randy" was trying to make a point about how easy it can be to socially-engineer people to visit malicious sites. "Dr. I Needtob Athe" *almost* got the point - the true point is it's not safe to click on *any* link, *anywhere*, unless you've observed the destination, either in the browser status bar or by "copy link location" (paste to text and read it), and/or have ample protective measures in place.
@ Randy: I was willing to play your game, because as expected, Firefox + NoScript, along with ad-blocking software, presented a harmless page saying the domain was for sale. The JSView add-on for Firefox allows examination of the scripts even though NoScript is blocking them. Good point, though. Also a good point that the above combo -- Firefox + NoScript, with the latter in lockdown (ultra-paranoid) mode, prevents an awful lot of these exploits. Even POCs by white-hats often don't work unless you allow them in NoScript.
@ The Poster With No Name:
"> which up until now would cost around
> $1,500 for an annual licence,
Instead of paying the $1,500, I always used a pirated copy."
You beat me to that one by an hour or so. I would add that "annual licence"? Surely once a haxxor owns it, he could hack it to keep it going without the renewal fee. No honor among thieves.
@ Moderator: Not a complaint, just a question: Apparently the post "at May 25, 2011 4:05pm" had the "Name" field left completely blank. I thought "some" entry was required, and preferably not "anonymous", as Bruce explains, just to make it easier to refer to earlier posts? Or did this poster find a character that makes the Name field happy, but doesn't display?
Again, not complaining. The post was funny and right on-topic, and if s/he was able to avoid displaying a name, it's just one more example, if trivial, of messing with sites. Cheers.
How did I leave you out? Sorry!
"Am I the only one looking forward to the Google Chromebook to shield me from this sort of stuff?"
Why "look forward", when the NoScript add-on to Firefox has shielded users from this kind of stuff for years? And a mobile version is available for testing and eventual release:
("US NSA has endorsed the use of NoScript")
"Amazing coincidence, just a few hours earlier my own NSA project had exited “stealth mode” to official become NoScript 3.0a1 for Firefox Mobile.
Adventurous Android Alpha (AAA) testers are welcome :)"
@tommy "the post "at May 25, 2011 4:05pm" had the "Name" field left completely blank"
What are we? Users? Figure out how she did it.
Or I'll license the secret for $15 a year.
@ BF Skinner: The issue wasn't figuring out the hack, the issue was that as Bruce says, it's hard to carry on discussions with 15 posters named "anonymous", or with no names at all.
@ Moderator: Sorry, there was a warez site giving it away for free...
Guess I didn't expect that these fields would parse HTML. It would be fun testing that, except it's not nice to our gracious and informative host, and I'm not that kind of person.
Tommy: I would add that "annual licence"? Surely once a haxxor owns it, he could hack it to keep it going without the renewal fee. No honor among thieves.
As if it was so difficult to put some code in it to verify if the payment is due and "own" the infringer otherwise.
Thieves usually have more honor than ordinary people. It keeps them free and alive.
@ Bruce / Moderator
some of the above posts are copies of earlier posts.
And as the seo name is also a link I suspect they are spam.
Based on a couple of days observation this particular spam bot/person, tends to go for the shortest post or paragraph to copy...
Interesting trend. These are not only useful for criminals, but just as much for researchers and anti-malware distributors to get a better understanding of how exactly they work. And of course a fine middlefinger to those who actually paid for them.
the post by "scatpeeD" from "May 26, 2011 3:51 AM" (which may have been moderated out of existence by now) is clearly spam ...
except, it seems to serve no purpose. In case it has been deleted, I will summarize it as being a set of phrases that would be used by people looking for a very specific type of pornography. (the username should give a hint.)
except, neither the post, nor the author's name, contain any outbound links. so if someone were to search for that kind of porn, they would have this page come up as search results ... and then have nowhere to go.
can someone explain to me how this form of link-free spam is in any way effective?
and now, I must test to see if I can post a blank name.
Jake, I suspect most link-free spam comments are just mistakes. I used to see occasional comments with something like <URL HERE> in them, too, although it's been a while. Spam with no links is much more likely to make it through the filters, so even a very low rate of errors could equal a substantial fraction of spam actually appearing on the blog.
Another possibility is that they're probes: the spammer could check a couple of days later, and if the test comment is still there, post it again with the link. The advantage over just posting the link in the first place would be a reduced chance that the URL winds up on a blacklist somewhere.
Or there's Clive's idea that spam comments could control a botnet, but I'll let him explain that one if he likes....
One more I forgot: sometimes spam includes links in the form of HTML code that gets stripped out when the comment is published. That wasn't the case with "scatpeeD," though.
Or the pornspam words could be a genuine code (not cipher) communicating the next terrorist plot... (Movie plot threat, anyone?)
Now, *here's* a cool sig! :)
no name is easy if you know how. i do this for passwords, can you tell me what i did? lol
I think the null font I used was code stolen from Novel and included in windows source code by M$
Just use the NoBrowser plug-in. It's fairly impenetrable.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.