Blackhole Exploit Kit: Popular Malware Among Cybercriminals

The Blackhole exploit kit is a collection of malicious code that exists on fraudulent websites, or can be illegally injected onto legitimate, but hacked, websites. These pieces of code are designed to detect and exploit vulnerabilities in Web browsers and create security risks for PCs.

In 2011, Blackhole was the most popular browser exploit kit among cybercriminals, according to Trend Micro, an Internet security company. As of Oct. 22, 2013, of all online malware, the Blackhole exploit kit was ranked 60th in the world, affecting users in 212 countries and more than 18,000 websites, according to AVG Threat Labs.

The exploit kit was developed in the underground cybermarket, and had been difficult for authorities to track down. However, the hacker who created and managed Blackhole was arrested in early October 2013, which may have somewhat reduced the threat.

Exploit kits are bundles of software designed to commit crimes, or crimeware. They enable criminals to package and distribute many different pieces of malware, and also manage the networks created by some of that malware.

Kits that focus on infecting users through Web attacks are known as browser exploit kits or browser exploit packs. Browser exploit kits allow attackers to take advantage of vulnerabilities in Web browsers by using many different forms of malware, greatly increasing the chances that something will get through and infect computers.

Blackhole, the most common of the browser exploit kits, includes a rental strategy, where individuals/criminals pay for the use and maintenance of the hosted exploit kit for a specific period of time. The first release of Blackhole charged up to $1,500 per year for a license.

The Blackhole exploit kit is a favorite of online criminals because of the high amount of traffic that is redirected to it, traffic that is fundamental to an exploit kit’s success. Blackhole is also good at evading detection, which is a huge selling point. A kit will fail if it is easily blocked through content URL filtering, IDS, or content detection.

Most importantly, the business model is ideal. The kits are competitively priced and offer a sound business model, and actively updated exploit kits such as Blackhole contain the latest malware proven to work against top Web browsers.

The Blackhole exploit kit works by infecting pages served by legitimate websites and servers, compromising them with malicious code. When users browse these pages, the code (often malicious JavaScript) silently loads content from the original exploit site.

Criminals using the Blackhole exploit kit also use spam email, tempting users to click on embedded Web links by pretending to be a reputable site or user, like LinkedIn, the U.S. Postal Service, US Airways, Facebook and Paypal. The embedded links open compromised websites in Web browsers.

A white paper by Trend Micro describes a typical email-based attack:

  1. Spam arrives in a user's inbox.
  2. A link embedded in the email leads to a compromised website.
  3. A page on the compromised website redirects the user to a page on a malicious website.
  4. The page attempts to exploit various software vulnerabilities in the user's system.
  5. If one of the attempts works — because the user's computer has not been updated with the latest security patches, for example — a malware variant is downloaded, infecting the user's computer.

Blackhole targets many browser vulnerabilities, especially among plug-ins that provide browser support for Adobe Reader, Adobe Flash and Java — all of which are commonly used on business and consumer PCs.

After a computer has been compromised, the code delivers the “payload,” which is the purpose of the exploit. Some common payloads include fake anti-virus software, the ZeuS banking Trojan, the TDSS and ZeroAcess rootkits and many forms of ransomware.

If a pop-up warning comes up when surfing a site, it’s likely that your computer's anti-virus software was able to block the malware, and your PC is probably safe. But there are a number of other ways to keep your computer and data safe from the Blackhole exploit kit.

It’s important to keep your operating system up to date, as well as all of the other software and applications on your PC. Never accept downloads from unknown sources or click on emails from unfamiliar sources.

Anti-virus software can offer fairly complete protection from the Blackhole exploit kit, as well as other exploit kits and types of malware. This software must be kept up to date in order to keep the user safe from newer malware, as hackers are constantly coming up with new code and malware.

After a threat is detected, it’s best to perform a full device scan with updated anti-virus definitions. Tom's Guide sister site TopTenReviews has compared anti-virus software and recommends Bitdefender, Kaspersky and Norton, among others.

The impact of the recent arrest of the hacker behind the Blackhole exploit kit remains to be seen. It's not clear whether Blackhole will disappear, be taken over by other developers or be replaced by other exploit kits.