Obfuscated and encoded code prevents easy customization and creation of new versions

A free download of the Black Hole crimeware exploit kit is now available to anyone, but it's locked down such that users can't customize or build new versions of it.

Black Hole is a Web exploit kit believed to be developed by Russian hackers; it is typically used for drive-by download attacks using Java and Adobe PDF exploits, among others. It has become one of the most widely deployed exploit kits and is relatively pricey, with a $1,500 annual license fee. Its creator also offers shorter-term licenses: $35 for one day, $700 for three months, and $1,000 for six months.

But the freebie Black Hole version circulating online isn't as feature-rich as the paid version. The download link contains obfuscated and encoded PHP code, says HD Moore, CSO of Rapid7 and chief architect of Metasploit. That means unlike the recent release of the unencoded Zeus source code, anyone who uses the Black Hole free download can't build new versions of it, he says.

The software also includes a large DAT file that houses copies of stolen passwords and other sensitive data, Moore says. It appears to be a snapshot of an installed Black Hole kit from a server, he says.

And Moore says it likely was not the Black Hole creator who released the kit. "Someone pirated someone else's software and released it," Moore says. "You can't change and modify it [when] it's encoded ... Decoding it is a big project. You'd have to decode every [piece of] PHP code, file by file. It's so far removed from standard reverse-engineering ... that it's just not that useful."

So the freebie Black Hole crimeware kit is fairly limited, although a user could salvage the exploits it contains: "The exploits themselves are useful," Moore says. "You could grab copies of the exploit and build out your own exploits. But that won't buy you much because the AV engines [already] have it."

Another possibility is that the Black Hole author himself leaked the kit, says Alen Puzic, security researcher at HP DVLabs, and is offering that limited version of the kit as a marketing ploy, of sorts. "This is a tactic used quite often: They leak their own copy that doesn't have all of the features the newest copy has," Puzic says. "So if users end up liking the leaked copy, they might want to buy the full copy. I suspect that might have happened."

Puzic says Zeus' author used that strategy. "Whenever there was a new copy of Zeus [malware kit], the old copy was leaked for free," he says. "That really worked for them."

The bottom line is that with yet another free crimeware kit out there, cybercrime is bound to benefit. "We'll see more cybercrime as a result of this, for sure," Puzic says. "I'll be interested to see what happens next ... But I think this [free tool] is very dangerous."

And Aviv Raff, CTO of Seculert, says having this and Zeus available for free will make them available to "bottom feeders" of the cybercrime ecosystem. "Having both malware and exploit kits available freely for anyone to download and use will allow even the 'bottom feeders' of the cybercrime ecosystem to start using those dangerous weapons together. If malware kits -- like Zeus -- are like the weapon, the exploit kits -- like Black Hole -- are the ammo," Raff says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights