The first Blackhole exploit kit was bad, but version 2.0 is starting to look even nastier.
Websense Inc. recently reported they had sent a Russian-speaking undercover researcher to feel around for information on any updates to the kit. What he found in the code looked suspiciously like a new, improved version of the hacking tool.
And now, according to Chris Astacio, manager of security research at Websense, they’re confident that Blackhole 2.0 has indeed arrived and is now going to be harder to detect.
Astacio said his company found two significant upgrades to Blackhole. The first is code that allows users to create their own custom URLs, rather than having to use a standard one. This makes it harder to identify the kit.
The second is the addition of IP blocking capabilities. Hackers can now keep an IP blacklist of anyone visiting the URL hosting the binary, rather than simply the people visiting the landing page.
This means that security professionals can more effectively be stymied in their efforts to download the binaries and examine them, he said.
The creator or creators of the Blackhole kit seem remarkably keen on changing the methods of obscuring it, he added. This doesn’t happen “anywhere near as often for other kits,” said Astacio. For example, the obfuscation for the Phoenix exploit kit is changed every time a new version emerges, roughly three to six times a year, whereas with Blackhole, “we’ve seen as often as one to two times a month,” he said.
If you’re a hacker selling exploit kits, this is simply good business sense. It allows campaigns to run longer by keeping them out of reach of security pros longer, he added.
Astacio would not discuss specifics of how members of his team get access to the underground sites where the kits can be downloaded, though he did say that some of the “more rich communities” with obscure types of kits have extensive vetting processes.
An undercover researcher would have to engage in a bit of “asset gathering” — finding someone who can vouch for them and get them in the door. After that, it’s just a matter of keeping your head down,” he said.
“Definitely you don’t want anybody within that forum to know that you’re a researcher, a security researcher at that,” Astacio said. If they do find out, retribution could come in the form of anything from simply kicking the person off the forum to “DDoSing their Web site that perhaps hosts a blog that releases information like this.”
But for the most part, researchers that do infiltrate these communities are protected well enough by the sheer number of people, hackers or not, viewing the site, Astacio said.
As for protecting yourself, as an Internet user, from constantly changing exploit kits like Blackhole, Astacio advises being vigilant about updating and patching your system.
“The most important thing that people can do to keep themselves safe from these kits is absolutely keep… all of their plugins up to date — so your PDM [portable document management] viewer, your Flash viewer, as well as Java, of course, being the most important one.”
“As long as you keep all your Web-based software up to date on your computer you should be fine.”
But sometimes, with threats like the recently discovered zero-day vulnerability in Java, that isn’t enough, he said. Those kinds of dangers can only be identified by security firms, like his own, which are constantly examining the content of malicious sites, he said.