Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Blackhole 2.0 Exploited to Push Advertisements

Created: 20 Sep 2012 14:29:21 GMT • Updated: 23 Jan 2014 18:12:20 GMT • Translations available: 日本語
Andrea Lelli's picture
+1 1 Vote
Login to vote

The popular Blackhole Exploit Kit has gained a lot of media attention recently when its author announced the imminent release of version 2.0, boasting a list of new interesting features. Recently we were very surprised when we found a website hosting what is supposed to be version 2.0 of the Blackhole Exploit Kit. Naturally, we started investigating and soon discovered that something about the website was not right.
 

Figure 1. The (suspicious) statistics page of the exploit kit
 

Looking at Figure 1, you can see a label at the bottom of the page clearly saying Blackhole v.2.0, but apart from this difference, the rest of the page looks very similar to the old version:
 

Figure 2. The statistics page of the old version of the exploit kit
 

The main content section of both pages is the same. However, at the top of the “new” version (Figure 1) there is a light blue table containing some Russian text in the area where the Blackhole menu should be. The text roughly translates to:

Advertising: [REMOVED] - service encryption iframe / javascript code.
Advertising: Dedicated servers in its own data center in Syria under any projects. Experience 6 + years in the market. Quality sounds! ;-)
[REMOVED]
Advertising: Unique service domain registration packs. Under any topic. Fast, comfortable, safe. [REMOVED]

It is now clear that this page is merely using the Blackhole 2.0 name as bait in an attempt to lure users into visiting the page and reading the advertisements. This method is not new; spammers often use names of famous people and products or the latest news events to try to lure users into reading their spam emails. However, it is quite unusual to see a popular exploit kit name used in this manner.

So what is being advertised? A service for registering domain names, one for server hosting, and another for encrypting JavaScript and iframes. Altogether these services could offer cybercriminals a complete infrastructure to be used for hosting cybercrime operations. In fact, the website advertising encryption and the one advertising domain registering are both well known for providing infrastructures aimed at "dirty ops."

Further indications of this Blackhole Exploit Kit 2.0 page being forged include:

  • The name of this page is bhstat.php, which is a known file name of the old version and is accessible without authentication.
  • No other known Blackhole PHP page seems to be present on that website.
  • The Exploits section (ЭКСПЛОИТЫ in the image) conveniently reports a Java pack, which was also mentioned in the description of version 2.0, published by the exploit pack author.

In conclusion, the page is not the new Blackhole Exploit Kit 2.0; it is a rehashed version of the current Blackhole Exploit Kit page, pretending to be the new one. The people behind this page do not have version 2.0, they more than likely have nothing to do with Blackhole and are only trying to advertise their services by exploiting a well-known name to gain attention. Their targets are clearly cybercriminals who would be interested in using an exploit kit and who would need an infrastructure for hosting it.

I wonder if the Blackhole author will file a copyright complaint!

Update [October 18, 2012] – Following further investigations and accessing other open servers hosting instances of the new Blackhole Exploit Kit, we can now confirm that the website discussed in the above blog was an actual instance of the Blackhole Exploit Kit 2.0. Thanks to Kaffeine for feedback that made this finding possible