Here at Websense Security Labs, we like to keep our ears to the ground to listen carefully for new threats. Yesterday, another researcher blog announced that there was a new version of the infamous Blackhole exploit kit. The advertisement for the new version of Blackhole was posted on an underground forum and was written in Russian. For those of you who may be unaware, Blackhole is by far the most popular web-based exploit kit in the black market to date.
A few of the interesting updates to the exploit kit are noted here:
- Dynamic URL generation, so there is no longer a standard URL pattern that could be used to identify the kit.
- IP blocking at the executable URL, so that AV companies can't just download your binary. This is meant to slow down AV detection.
- Use of Captcha in the admin panel login page, to prevent brute forcing unauthorized access.
For a full listing of updates, you can view the English translated advertisement here.
We put some feelers out in our ThreatSeeker network, to see what we could find and determine if there were any changes in the code that Blackhole uses. Sure enough, we found some malicious links in a recent email campaign that lead to Blackhole with new obfuscation. The creator of this kit changes the obfuscation as often as a model changes clothes at a fashion show!
That being said, we can't confirm that this example is in fact version 2.0, but it won't be much of a surprise to see a new version of this kit using this new obfuscation. From the looks of the de-obfuscated code below, this one may not be 2.0. Notice the use of PluginDetect on line 5; the advertisement states that the author no longer uses this.
Websense® ThreatSeeker® Network is constantly on the lookout for threats like this, so that we can protect our customers using ACE™, our Advanced Classification Engine.