Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/25/2011
04:42 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Freebie Black Hole Exploit Kit Limited By Encoding

Obfuscated and encoded code prevents easy customization and creation of new versions

A free download of the Black Hole crimeware exploit kit is now available to anyone, but it's locked down such that users can't customize or build new versions of it.

Black Hole is a Web exploit kit believed to be developed by Russian hackers; it is typically used for drive-by download attacks using Java and Adobe PDF exploits, among others. It has become one of the most widely deployed exploit kits and is relatively pricey, with a $1,500 annual license fee. Its creator also offers shorter-term licenses: $35 for one day, $700 for three months, and $1,000 for six months.

But the freebie Black Hole version circulating online isn't as feature-rich as the paid version. The download link contains obfuscated and encoded PHP code, says HD Moore, CSO of Rapid7 and chief architect of Metasploit. That means unlike the recent release of the unencoded Zeus source code, anyone who uses the Black Hole free download can't build new versions of it, he says.

The software also includes a large DAT file that houses copies of stolen passwords and other sensitive data, Moore says. It appears to be a snapshot of an installed Black Hole kit from a server, he says.

And Moore says it likely was not the Black Hole creator who released the kit. "Someone pirated someone else's software and released it," Moore says. "You can't change and modify it [when] it's encoded ... Decoding it is a big project. You'd have to decode every [piece of] PHP code, file by file. It's so far removed from standard reverse-engineering ... that it's just not that useful."

So the freebie Black Hole crimeware kit is fairly limited, although a user could salvage the exploits it contains: "The exploits themselves are useful," Moore says. "You could grab copies of the exploit and build out your own exploits. But that won't buy you much because the AV engines [already] have it."

Another possibility is that the Black Hole author himself leaked the kit, says Alen Puzic, security researcher at HP DVLabs, and is offering that limited version of the kit as a marketing ploy, of sorts. "This is a tactic used quite often: They leak their own copy that doesn't have all of the features the newest copy has," Puzic says. "So if users end up liking the leaked copy, they might want to buy the full copy. I suspect that might have happened."

Puzic says Zeus' author used that strategy. "Whenever there was a new copy of Zeus [malware kit], the old copy was leaked for free," he says. "That really worked for them."

The bottom line is that with yet another free crimeware kit out there, cybercrime is bound to benefit. "We'll see more cybercrime as a result of this, for sure," Puzic says. "I'll be interested to see what happens next ... But I think this [free tool] is very dangerous."

And Aviv Raff, CTO of Seculert, says having this and Zeus available for free will make them available to "bottom feeders" of the cybercrime ecosystem. "Having both malware and exploit kits available freely for anyone to download and use will allow even the 'bottom feeders' of the cybercrime ecosystem to start using those dangerous weapons together. If malware kits -- like Zeus -- are like the weapon, the exploit kits -- like Black Hole -- are the ammo," Raff says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13485
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
CVE-2020-13486
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
CVE-2020-13482
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
CVE-2020-13458
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVE-2020-13459
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.