Blackhole Exploit Kit

It’s now available as a free download:

A free version of the Blackhole exploit kit has appeared online in a development that radically reduces the entry-level costs of getting into cybercrime.

The Blackhole exploit kit, which up until now would cost around $1,500 for an annual licence, creates a handy way to plant malicious scripts on compromised websites. Surfers visiting legitimate sites can be redirected using these scripts to scareware portals on sites designed to exploit browser vulnerabilities in order to distribute banking Trojans, such as those created from the ZeuS toolkit.

Tags: cybercrime, exploits, hacking, malware

Posted on May 25, 2011 at 11:55 AM • 28 Comments

Comments

Andrew • May 25, 2011 12:33 PM

Hmmmm, a free download from a criminal malware company? What could possibly go wrong with that?

Randy • May 25, 2011 12:34 PM

None of this is true. Visit http://foo1.com for details.

Randy – sorry

Richard Schwartz • May 25, 2011 12:41 PM

Randy: Wrong link?

j • May 25, 2011 12:58 PM

Not really…”The exploit kit can be found on some free file-sharing sites, but Raff said that the free version is not the most up-to-date one and likely doesn’t have the most current exploits in it.”

In other words, he hasn’t really examined the so-called “free kits”, the blackhole leaks are fairly irrelevant portions of old releases and they aren’t fully working when one tries to install them. So they don’t provide any entry level access to a market. “Free” is a poor descriptor for leaked portions of an incomplete code package that won’t really work. But when spun, it makes for an attention grabbing headline and some valuable recognition for his company!

Dr. I. Needtob Athe • May 25, 2011 12:58 PM

I’m not sure it’s safe to click ANYTHING on this page!

j • May 25, 2011 1:05 PM

Oh yeah, this analogy makes no sense: “If the ZeuS leak was like giving a machine gun for free, giving away exploit kits is like providing the ammo.”

Let’s see, Zeus is the payload that steals victim information (which is the goal here), and the exploit kits are the method of delivery. So the analogy is backwards – giving away the kit is giving away the grenade launcher, giving away zeus is giving away the grenade. But it’s not a destructive payload, so that’s a lame analogy too.

Shaun • May 25, 2011 2:03 PM

I heard they released it under GPL. So if you install a rootkit on someone’s system, you have to send them the source code.

Russ • May 25, 2011 3:29 PM

Am I the only one looking forward to the Google Chromebook to shield me from this sort of stuff?

Sardine • May 25, 2011 3:48 PM

I’m more concerned about new rootkits which target PCI devices, such as the graphics card and the optical drives, also, BIOS. Where are the malware scanners which scan PCI devices and BIOS for mismatches? All firmware, BIOS and on PCI devices should be checksummed and saved to match with others in the cloud, and archived when the computer is first used, backing up signed firmware.

When do you recall seeing signed router firmware upgrades with any type of checksum to check against? Same for PCI devices and optical drives and BIOS.

Some have begun with BIOS security:

http://www.biosbits.org/

Some BIOS has write protection in its configuration, a lot of newer computers don’t.

Anonymous • May 25, 2011 4:05 PM

which up until now would cost around
$1,500 for an annual licence,

Instead of paying the $1,500, I always used a pirated copy.

tommy • May 25, 2011 5:49 PM

How is this new? There have always been warez sites where bad guys posted malware for anyone to use.

Didn’t they expect that sooner or later, the owner of a fully-functional, paid-for copy would reverse-engineer it, and offer it more cheaply, or for free?

@ Richard Schwartz: No, right link. “Randy” was trying to make a point about how easy it can be to socially-engineer people to visit malicious sites. “Dr. I Needtob Athe” almost got the point – the true point is it’s not safe to click on any link, anywhere, unless you’ve observed the destination, either in the browser status bar or by “copy link location” (paste to text and read it), and/or have ample protective measures in place.

@ Randy: I was willing to play your game, because as expected, Firefox + NoScript, along with ad-blocking software, presented a harmless page saying the domain was for sale. The JSView add-on for Firefox allows examination of the scripts even though NoScript is blocking them. Good point, though. Also a good point that the above combo — Firefox + NoScript, with the latter in lockdown (ultra-paranoid) mode, prevents an awful lot of these exploits. Even POCs by white-hats often don’t work unless you allow them in NoScript.

@ The Poster With No Name:

“> which up until now would cost around

$1,500 for an annual licence,
Instead of paying the $1,500, I always used a pirated copy.”

You beat me to that one by an hour or so. I would add that “annual licence”? Surely once a haxxor owns it, he could hack it to keep it going without the renewal fee. No honor among thieves.

@ Moderator: Not a complaint, just a question: Apparently the post “at May 25, 2011 4:05pm” had the “Name” field left completely blank. I thought “some” entry was required, and preferably not “anonymous”, as Bruce explains, just to make it easier to refer to earlier posts? Or did this poster find a character that makes the Name field happy, but doesn’t display?

Again, not complaining. The post was funny and right on-topic, and if s/he was able to avoid displaying a name, it’s just one more example, if trivial, of messing with sites. Cheers.

tommy • May 25, 2011 5:58 PM

@ Russ:

How did I leave you out? Sorry!

“Am I the only one looking forward to the Google Chromebook to shield me from this sort of stuff?”

Why “look forward”, when the NoScript add-on to Firefox has shielded users from this kind of stuff for years? And a mobile version is available for testing and eventual release:

(“US NSA has endorsed the use of NoScript”)
“Amazing coincidence, just a few hours earlier my own NSA project had exited “stealth mode” to official become NoScript 3.0a1 for Firefox Mobile.

Adventurous Android Alpha (AAA) testers are welcome :)”

http://hackademix.net/2011/05/04/nsa-and-middle-east-rebels-agree/

BF Skinner • May 25, 2011 7:49 PM

@tommy “the post “at May 25, 2011 4:05pm” had the “Name” field left completely blank”

What are we? Users? Figure out how she did it.

Moderator • May 25, 2011 9:14 PM

Or I’ll license the secret for $15 a year.

• May 25, 2011 11:14 PM

@ BF Skinner: The issue wasn’t figuring out the hack, the issue was that as Bruce says, it’s hard to carry on discussions with 15 posters named “anonymous”, or with no names at all.

@ Moderator: Sorry, there was a warez site giving it away for free…

tommy

Robert'); DROP TABLE Admins;-- • May 25, 2011 11:24 PM

Guess I didn’t expect that these fields would parse HTML. It would be fun testing that, except it’s not nice to our gracious and informative host, and I’m not that kind of person.

http://xkcd.com/327/

tommy

Josh • May 26, 2011 3:51 AM

Tommy: I would add that “annual licence”? Surely once a haxxor owns it, he could hack it to keep it going without the renewal fee. No honor among thieves.

As if it was so difficult to put some code in it to verify if the payment is due and “own” the infringer otherwise.

Thieves usually have more honor than ordinary people. It keeps them free and alive.

Clive Robinson • May 26, 2011 5:33 AM

@ Bruce / Moderator

some of the above posts are copies of earlier posts.

And as the seo name is also a link I suspect they are spam.

Based on a couple of days observation this particular spam bot/person, tends to go for the shortest post or paragraph to copy…

Dirk Praet • May 26, 2011 10:17 AM

Interesting trend. These are not only useful for criminals, but just as much for researchers and anti-malware distributors to get a better understanding of how exactly they work. And of course a fine middlefinger to those who actually paid for them.

Jake • May 26, 2011 10:41 AM

the post by “scatpeeD” from “May 26, 2011 3:51 AM” (which may have been moderated out of existence by now) is clearly spam …

except, it seems to serve no purpose. In case it has been deleted, I will summarize it as being a set of phrases that would be used by people looking for a very specific type of pornography. (the username should give a hint.)

except, neither the post, nor the author’s name, contain any outbound links. so if someone were to search for that kind of porn, they would have this page come up as search results … and then have nowhere to go.

can someone explain to me how this form of link-free spam is in any way effective?

• May 26, 2011 10:44 AM

and now, I must test to see if I can post a blank name.

Moderator • May 26, 2011 11:17 AM

Jake, I suspect most link-free spam comments are just mistakes. I used to see occasional comments with something like <URL HERE> in them, too, although it’s been a while. Spam with no links is much more likely to make it through the filters, so even a very low rate of errors could equal a substantial fraction of spam actually appearing on the blog.

Another possibility is that they’re probes: the spammer could check a couple of days later, and if the test comment is still there, post it again with the link. The advantage over just posting the link in the first place would be a reduced chance that the URL winds up on a blacklist somewhere.

Or there’s Clive’s idea that spam comments could control a botnet, but I’ll let him explain that one if he likes….

Moderator • May 26, 2011 11:22 AM

One more I forgot: sometimes spam includes links in the form of HTML code that gets stripped out when the comment is published. That wasn’t the case with “scatpeeD,” though.

¶ → tommy ← ¶ • May 26, 2011 5:40 PM

Or the pornspam words could be a genuine code (not cipher) communicating the next terrorist plot… (Movie plot threat, anyone?)

Now, here’s a cool sig! 🙂

• May 27, 2011 10:27 AM

no name is easy if you know how. i do this for passwords, can you tell me what i did? lol

• May 27, 2011 10:36 AM

I think the null font I used was code stolen from Novel and included in windows source code by M$

Shane • May 27, 2011 1:56 PM

Just use the NoBrowser plug-in. It’s fairly impenetrable.

ANON123 • May 30, 2011 12:16 AM

they are quite a few packs easily available to download from media sharing sites. when googling for blackhole I stumbled upon this site that links quite a few. however they are all obfuscated but with a little tampering you can get the actual php/javascript.

“BlackHole Exploit Kit, Available for Download !

Another New Exploit kit is now in Black Market called BlackHole Exploit Kit. After The Public Release of

Source code of ZeuS Botnet Version: 2.0.8.9
http://www.thehackernews.com/2011/05/finally-source-code-of-zeus-crimeware.html

Crimepack 3.1.3 Exploit kit
http://www.thehackernews.com/2011/05/crimepack-313-exploit-kit-leaked.html

26 more Underground Hacking Exploit Kits
http://www.thehackernews.com/2011/05/26-underground-hacking-exploit-kits.html

Now 1st Public Release of BlackHole Exploit Kit is here…

By : http://www.thehackernews.com/“