Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:42 PM
Connect Directly

Freebie Black Hole Exploit Kit Limited By Encoding

Obfuscated and encoded code prevents easy customization and creation of new versions

A free download of the Black Hole crimeware exploit kit is now available to anyone, but it's locked down such that users can't customize or build new versions of it.

Black Hole is a Web exploit kit believed to be developed by Russian hackers; it is typically used for drive-by download attacks using Java and Adobe PDF exploits, among others. It has become one of the most widely deployed exploit kits and is relatively pricey, with a $1,500 annual license fee. Its creator also offers shorter-term licenses: $35 for one day, $700 for three months, and $1,000 for six months.

But the freebie Black Hole version circulating online isn't as feature-rich as the paid version. The download link contains obfuscated and encoded PHP code, says HD Moore, CSO of Rapid7 and chief architect of Metasploit. That means unlike the recent release of the unencoded Zeus source code, anyone who uses the Black Hole free download can't build new versions of it, he says.

The software also includes a large DAT file that houses copies of stolen passwords and other sensitive data, Moore says. It appears to be a snapshot of an installed Black Hole kit from a server, he says.

And Moore says it likely was not the Black Hole creator who released the kit. "Someone pirated someone else's software and released it," Moore says. "You can't change and modify it [when] it's encoded ... Decoding it is a big project. You'd have to decode every [piece of] PHP code, file by file. It's so far removed from standard reverse-engineering ... that it's just not that useful."

So the freebie Black Hole crimeware kit is fairly limited, although a user could salvage the exploits it contains: "The exploits themselves are useful," Moore says. "You could grab copies of the exploit and build out your own exploits. But that won't buy you much because the AV engines [already] have it."

Another possibility is that the Black Hole author himself leaked the kit, says Alen Puzic, security researcher at HP DVLabs, and is offering that limited version of the kit as a marketing ploy, of sorts. "This is a tactic used quite often: They leak their own copy that doesn't have all of the features the newest copy has," Puzic says. "So if users end up liking the leaked copy, they might want to buy the full copy. I suspect that might have happened."

Puzic says Zeus' author used that strategy. "Whenever there was a new copy of Zeus [malware kit], the old copy was leaked for free," he says. "That really worked for them."

The bottom line is that with yet another free crimeware kit out there, cybercrime is bound to benefit. "We'll see more cybercrime as a result of this, for sure," Puzic says. "I'll be interested to see what happens next ... But I think this [free tool] is very dangerous."

And Aviv Raff, CTO of Seculert, says having this and Zeus available for free will make them available to "bottom feeders" of the cybercrime ecosystem. "Having both malware and exploit kits available freely for anyone to download and use will allow even the 'bottom feeders' of the cybercrime ecosystem to start using those dangerous weapons together. If malware kits -- like Zeus -- are like the weapon, the exploit kits -- like Black Hole -- are the ammo," Raff says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...