The Black Hole exploit kit is an unethical off-the-shelf Web application.  The first instance - v.1.0.0 beta - has appeared on the black market and was advertised in August 2010 as a "System for network testing".  As with most of  the exploit kits, it is based on PHP and a MySQL backend. The payload of this kit usually targets Windows operating systems and applications installed on those systems, but depends on the criminals' end goal. 

The kit's administrative system includes several so-called "Statistical Widgets". Most widgets provide the same information as pages in other kits, like global statistics, operating systems, top countries and referrers.  An interesting feature of this kit is that a criminal can create a custom widget,  basically meaning that the most important and required statistics will be gathered and shown in one widget.

The Black Hole exploit kit uses several protection mechanisms such as:

• Integrated Antivirus based on an API of popular blackhats' AVCheck services
• Forms database of blacklists based on referrers and IP addresses including ranges to block access to the system

The kit's settings allow criminals to choose a language interface of either Russian or English, which suggests that this kit was developed in Russia, and to change name of the malicious payload file and parameters to make it undetectable by AVs. Exploits are encrypted with custom algorithms, which makes this pack difficult to analyze by AVs and generic deobfuscation tools and services. The Black Hole exploit kit uses the Java OBE (Open Business Engine) toolkit to spread exploits and successfully load the malicious executable to the victim's machine. Once a victim follows the malicious Iframe, he will download a JAR file with an encoded URL parameter, and one of the classes of this JAR file will decode this parameter into a clear text URL. The URL will be concatenated with an HTTP GET parameter which will be used in downloading other malicious payload files. The exploit kit is encrypted by the commercial php-cryptor which makes the whole distribution very regulated and sophisticated. The kit is therefore only rented by the criminals and not sold like many others.

Here is a screen shot of the settings page:

Here is a screen shot of the statistics page:

 
Below is a running list of vulnerabilities that have been used with the Black Hole exploit kit:

CVE-2010-1885   HCP
CVE-2010-1423   Java argument injection vulnerability in the URI handler in Java NPAPI plugin
CVE-2010-0886   Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842   Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840   Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671   Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927   Adobe Reader Collab GetIcon
CVE-2008-2992   Adobe Reader util.printf
CVE-2007-5659   Adobe Reader CollectEmailInfo
CVE-2006-0003   IE MDAC