Blackhole Exploit Kit - What They Are and How They Work - Case Study Example

Blackhole Exploit Kit Introduction The Blackhole exploit kit is defined as the framework designed to deliver exploits through third party or compromised websites (Rajaraman, 2011). Experts in information technology and computer sciences consider it as the web threat that is currently the most prevalent. The primary purpose of the Blackhole exploit kit is aimed at delivering a malicious payload or exploits to the computer of a victim. It is most notable for its sophisticated Traffic Direction Script (TDS), which enables attackers to construct or configure rules that enforce custom responses. It can deliver various malware depending on the operating system and geographical location of the victim, or depending on the time of day or other criteria that the attacker has identified (Howard, 2012). Often, a user would visit a compromised though legitimate website that had been outfitted with an external or iframe reference that point to the Blackhole exploit site. Because of this invisible call, malware and exploits would be delivered silently while the user is browsing on a legitimate but compromised website. The victim would not be redirected forcibly as there would be no external sign and the user is likely to remain on the legitimate website and it is likely that he or she would be unaware that malware is loading in the background (International Business, 2012). In order to have a better understanding of this topic, this paper will discuss in more details what Blackhole exploit kits are and how they work. In recent times, the Blackhole exploit kit has gained wide adoption and it is one of the most common exploit frameworks that are used for delivery of web-based malware (Ouchn, 2012). This type of crimeware Web application was developed by a Russian hacker known as HodLum to take advantage of exploits that are unpatched to hack computers through malicious scripts that are planted on legitimate but compromised websites. The first Blackhole exploit kit appeared in the market in August 2010 (Howard, 2012). Since then, there have been newer releases, as well as a free version of the kit. The Blackhole exploit kits are based on a MySQL and PHP backend, and incorporate support for exploiting the most vulnerable and widely used security flaws with the purpose of providing hackers with the highest successful exploitation probability (Rajaraman, 2011). Typically, these kits target the Windows operating system version, as well as applications that have been installed on Windows platform. The most famous Blackhole exploit kit attack was in April 2011 that targeted the website of the United States Postal service’s Rapid Information Bulletin Board System (RIBBS) (Wisniewski, 2012). There are various versions of the Blackhole exploit kit including v1.2.2, which was released in February of the year 2012, and it is the most recent version and v1.0.0 version, which was released in late 2010 and was the first version (Ouchn, 2012). The Blackhole exploit kit is made up of various PHP scripts series that are designed to run on a website or a web server. These scripts are protected using the commercial ionCube encoder presumably to prevent other miscreants against stealing their code and therefore hindering analysis (International Business, 2012). The Blackhole exploit kit has general characteristics that enable them to deliver exploits through compromised websites. These characteristics include configuration options for the usual parameters such as redirect URLs, file paths, querystring parameters, passwords and usernames. Others include blocking/blacklisting characteristics including import blacklisted ranges, maintain IP blacklist, only hit any IP once, and blacklist by referrer URL; MySQL backend; targets various client vulnerabilities; management console that provides statistical summary and break down successful infections including country, browser, affiliate/partner, operating system, and exploit; auto update; and AV scanning add-ons (Howard, 2012). While these characteristics may apply to other several kits, some features are unique to Blackhole exploit kit. Unlike other exploits that are commodities that can be sold, Blackhole includes rental strategy that allows individuals to pay for the use of the hosted exploit kit for certain duration of time. In fact, Blackhole exploit kit is not exclusively rental as there are other licenses that are also available (Rajaraman, 2011). Exploit kits often target a range of client vulnerabilities and Blackhole exploit kit is no exception. Like most exploit kits, Blackhole targets a range of vulnerabilities of certain clients. The recent emphasis on vulnerabilities by Blackhole has been in Java, Adobe Flash, and Adobe Reader (International Business, 2012). The dramatic rise in the number of malicious samples in recent years has been attributed mainly to server-side polymorphism (SSP) functionality. SSP functionality is defined as the situation where the encryption engine is hosted on the web server’s scripts, mostly PHP, and is periodically used in rebuilding the content. Therefore, it is suited perfectly to all threats that are web-delivered. The technique is most effective when used to files that can easily be generated upon each request such as PDF and HTML, but can also be used in building polymorphic content for many types of files. It is worth noting that all exploit kits including Blackhole use SSP functionality in trying to evade detection (Howard, 2012). Blackhole has been identified as one of the most persistent threat campaigns that have ever been experienced in the information technology world. Coordinated nature of changes in code obfuscation has been identified as one of the Blackhole’s peculiarities (Ouchn, 2012). It is speculated that this peculiarity arise because of the centralized control that is provided by Blackhole’s rental mode. Contrary to the experience of other exploit kits where attackers buy the kit and administer or host themselves, updates tend to be deployed very fast to Blackhole websites. When comparing the threat that Blackhole pose against other web threats in the threat statistics, Blackhole features prominently. Of the threats detected, redirects from legitimate sites makes up the bulk in Blackhole exploit kit. Blackhole dominates approximately have of the exploits websites thereby implying that it is the most dominant in the market (Ouchn, 2012). Being the most dominant, how does one mount defense against this kit? Information technology and computer science experts explain that such kind of defense can be mounted by making sure that the operating system, browser plugins, and browser in use are up to date (Rajaraman, 2011). Since the Blackhole targets vulnerabilities in old versions of browsers like Safari, Google Chrome, Firefox, and Internet Explorer, and popular plugins like Java, Adobe Flash and Adobe Acrobat, it is critical that they are updated frequently. In addition, a defense against the Blackhole exploit kit can be mounted by running a security utility with good host-based intrusion prevention system and a good antivirus (Howard, 2012). As a result of the polymorphic code that is used to generate the Blackhole exploit kit’s variants, there is high possibility that antivirus will lag behind the new variants of the kit that are automated. However, altering the algorithm applied in loading malware onto computers of victims will take more effort from the criminal(s) who is developing this type of kit. Apart from changing the algorithm as a measure of mounting defense against this kit, good HIPS should be used to defend against emerging or new Blackhole’s variants that use algorithms that were previously known (International Business, 2012). Experts in the field of information technology and computer science have been trying to find out why Blackhole has grown to become the most successful and prolific exploit kit used in today’s world. Howard (2012) argues that since the primary goal of exploit kits is to provide service for persons who want to infect computer users with malware, the kit that best achieves this goal is considered the most successful. Currently, Blackhole is considered as the most successful exploit kit. So, what are the key factors that are differentiating Blackhole from other exploit kits and make it the most successful? Experts observe that Blackhole delivers in all the aspects that make exploit kits successful. The first aspect is traffic, that is, how much user traffic is redirected to a particular exploit kit. In this respect, Blackhole delivers as it has significant volumes of web traffic being redirected to sites that are hosting it (Ouchn, 2012). This can be attributed to the defacement of large numbers of website that are legitimate, as well as to multiple spam campaigns. Blackhole exploit kit’s authors have taken measures to retain control in exploit kit market by encoding the scripts in order to prevent others from copying the business model and code including a rental option that allows individuals to pay for hosting a service (Rajaraman, 2011). Blackhole’s content is extremely polymorphic and aggressively obfuscated. The second aspect that differentiates between exploit kits and makes one kit more successful compared to others is evasion of detection that entails blocking of a kit through content URL filtering which ensures that content detection and IDS fail. Blackhole has delivered this aspect by taking efforts geared towards evading detection although some aspects of the kit such as its query string structure, filenames, and URL paths have remained stagnant over considerable duration of time (Howard, 2012). The final aspect that differentiates successful exploit kits is that of business model. This aspect determines whether an exploit kit is competitive in the market. A kit that is considered competitive is that which has a sound business model and is competitively priced. For the past 12-18 months, Blackhole has been the most notorious and prevalent of the exploit kits that are used to infect people’s computers with malware (Howard, 2012). Blackhole has used some techniques and tricks to shape what it sees as competing kits presently an in the future. Many experts in the information technology industry argue that in the absence of legal intervention against the Blackhole exploit kit, it will continue to be one of the main through which users are infected with malicious scripts or malware (Rajaraman, 2011). Conclusion In recent years, the number of malware has increased significantly because of the use of automation, as well as kits to facilitate its distribution and creation. It is type of crimeware that takes advantage of exploits that are unpatched with the view of hacking computers through malicious scripts that are planted on legitimate but compromised websites. As has been noted, Blackhole exploit has general characteristics that could apply equally to other kits. Besides, it has unique features that make it to be the most successful exploit kits. It has delivered in all the three aspects of exploit kits that are critical to differentiating between exploit kits including traffic, business model, and evasion of detection. While Blackhole exploit kit is the most successful exploit kit, users can mount defenses against it. The defenses include making sure that operating system, browser’s plugins, and browsers are up to date, and by running security utility with good HIPS and good antivirus. References Howard, F. (2012). Exploring the Blackhole Exploit Kit. Retrieved on 23 November from http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-14/ International Business, T. (2012, August 29). New Java Vulnerability Being Exploited by Blackhole-based Attacks. International Business Times. Ouchn, N. (2012). BlackHole Exploit Kit 2.0 Released and Updated with New Exploits. Retrieved on 23 November, 2012 from http://www.toolswatch.org/2012/09/blackhole-exploit-kit-2-0-released-updated-with-new-exploits/ Rajaraman, V. (2011). Fundamentals of computers. New Delhi: PHI Learning Private Ltd. Wisniewski, M. (2012). U.S. Found on Top in Malware Attacks. American Banker, 177(137), 11. Read More