Blackhole exploit kit
Black Hole ( German translation: black hole ) is an exploit kit, which now has a market share of almost 30 percent. It will probably be developed by Russian cyber criminals, it can close the screenshots on the internet.
The infrastructure of Black Hole
Black Hole is a fee ( $ 1000 per semester), and provides a (relatively comfortable ) administration via the web interface to. The special feature here is that the developers of Black Hole react very quickly to new security vulnerabilities. The related to the Java crash (CVE-2012 - 4681 ) published exploit was integrated after twelve hours been to Black Hole.
A detailed description of the server infrastructure of Black Hole is not possible. Every day new server to go from the network partially after a few hours or days. In addition, many of these nodes are located within anonymous networks (eg, Tor), which makes the identification of responsible persons virtually impossible. Most of the servers are in the U.S. ( nearly 30 %), followed by Russia (~ 17.5 %).
A typical blackhole infection
Most incidents of infection by Blackhole run according to the following scheme: First, an advertising server (ie a server on the Internet, fades in advertising on other unsuspecting websites ) hacked and manipulated so that it reloads scripts in the background, the visitors forward to a Web server, which then abklopft the computer for vulnerabilities (about outdated plugins) and then exploits these vulnerabilities found. When the attack on a computer was successful, a so-called payload is loaded, so a program that performs additional actions, such as the elimination of traces or the reloading of new malicious code, which is tailored to the computer.
Operation of Black Hole
It is not known exactly how Black Hole is served by the " end user ". The few screenshots on the internet suggest a kind of web interface or GUI program. However hard seems to be that Black Hole is relatively comfortable to use, so without tedious programming exploits or payloads. Details of this are not known.
Payloads
Posted by Blackhole
The first version of the exploit kit was released in " Malwox ", a Russian hacker forum. The exact date or the license under which the program was published, are unknown. Currently the version 2.0 ( or higher ) appears to be up to date.
Countermeasures
Black Hole falls on the fact that it has an above-average management. The one or more developers (pseudonym: Paunch ) are obviously very experienced, to find new malicious software programs or program itself. The IT security firm Sophos tries according to an article to follow the exploit kit and users to more security measures ( backups, updating of critical programs, etc.) call. The success of these measures is not to estimate, because no (or little ) is known how high the number of infected by Blackhole computer would be otherwise.
Since Black Hole increasingly relies on zero-day exploits that helps automatic updating little, but mostly it prevents an infection by already known exploits.
Black Hole manipulated, as well as other exploit kits, chopped websites by a script (usually Javascript) inserts automatically the browser or the operating system analyzes when calling the web page in the background and abklopft vulnerabilities that. Will it find it, it attempts to exploit the vulnerabilities found. This would (for example, NoScript ) help to prevent the reloading of scripts plug-ins or add-ons.
As announced recently, we have also succeeded, the developer (pseudonym: Paunch ) arrest of Black Hole in Russia with some accomplices.
Prominent cases of blackhole attacks
- On April 3, 2013 it was announced that a new and exceptionally well programmed malicious program called Darkleech in circulation. Darkleech infected Apache web server, and it does not trigger attacks with IP addresses from security companies. It is believed that Darkleech was programmed by the developers of the Blackhole exploit kit because it reloads malicious code from Blackhole pages.
- According to a report of 8 April 2013 Heise Security is currently a botnet called Cutwail again particularly active. It spreads addition to the online banking Trojan malware for Android. Again, victims are redirected to blackhole pages.