Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/25/2011
04:42 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Freebie Black Hole Exploit Kit Limited By Encoding

Obfuscated and encoded code prevents easy customization and creation of new versions

A free download of the Black Hole crimeware exploit kit is now available to anyone, but it's locked down such that users can't customize or build new versions of it.

Black Hole is a Web exploit kit believed to be developed by Russian hackers; it is typically used for drive-by download attacks using Java and Adobe PDF exploits, among others. It has become one of the most widely deployed exploit kits and is relatively pricey, with a $1,500 annual license fee. Its creator also offers shorter-term licenses: $35 for one day, $700 for three months, and $1,000 for six months.

But the freebie Black Hole version circulating online isn't as feature-rich as the paid version. The download link contains obfuscated and encoded PHP code, says HD Moore, CSO of Rapid7 and chief architect of Metasploit. That means unlike the recent release of the unencoded Zeus source code, anyone who uses the Black Hole free download can't build new versions of it, he says.

The software also includes a large DAT file that houses copies of stolen passwords and other sensitive data, Moore says. It appears to be a snapshot of an installed Black Hole kit from a server, he says.

And Moore says it likely was not the Black Hole creator who released the kit. "Someone pirated someone else's software and released it," Moore says. "You can't change and modify it [when] it's encoded ... Decoding it is a big project. You'd have to decode every [piece of] PHP code, file by file. It's so far removed from standard reverse-engineering ... that it's just not that useful."

So the freebie Black Hole crimeware kit is fairly limited, although a user could salvage the exploits it contains: "The exploits themselves are useful," Moore says. "You could grab copies of the exploit and build out your own exploits. But that won't buy you much because the AV engines [already] have it."

Another possibility is that the Black Hole author himself leaked the kit, says Alen Puzic, security researcher at HP DVLabs, and is offering that limited version of the kit as a marketing ploy, of sorts. "This is a tactic used quite often: They leak their own copy that doesn't have all of the features the newest copy has," Puzic says. "So if users end up liking the leaked copy, they might want to buy the full copy. I suspect that might have happened."

Puzic says Zeus' author used that strategy. "Whenever there was a new copy of Zeus [malware kit], the old copy was leaked for free," he says. "That really worked for them."

The bottom line is that with yet another free crimeware kit out there, cybercrime is bound to benefit. "We'll see more cybercrime as a result of this, for sure," Puzic says. "I'll be interested to see what happens next ... But I think this [free tool] is very dangerous."

And Aviv Raff, CTO of Seculert, says having this and Zeus available for free will make them available to "bottom feeders" of the cybercrime ecosystem. "Having both malware and exploit kits available freely for anyone to download and use will allow even the 'bottom feeders' of the cybercrime ecosystem to start using those dangerous weapons together. If malware kits -- like Zeus -- are like the weapon, the exploit kits -- like Black Hole -- are the ammo," Raff says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .