Blackhole exploit kit: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 11:55, 1 September 2013 edit 88.150.193.121 (talk) →Basic summary of how Blackhole works Tag: Visual edit ← Previous edit		Latest revision as of 04:55, 5 June 2025 edit undo Citation bot (talk \| contribs) Bots 5,873,329 edits Added date. \| Use this bot. Report bugs. \| Suggested by Abductive \| Category:Articles needing cleanup from May 2025 \| #UCB_Category 383/402
(46 intermediate revisions by 37 users not shown)
Line 1: {{Short description\|Malware toolkit}} ~~{{one source\|date=July 2012}}~~ {{about\|the exploit kit\|other uses\|black hole (disambiguation)}} The '''Blackhole exploit kit''' is currently{{When\|date=March 2013}} the most prevalent [[web threat]], where 28% of all web threats detected by [[Sophos]] and 91% by [[AVG (software)\|AVG]] are due to this exploit kit.<ref name="Howard4.1">{{cite web \|url=http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-14/ \|title=Exploring the Blackhole exploit kit: 4.1 Distribution of web threats\|last1=Howard \|first1=Fraser \|date=March 29, 2012 \|work=Naked Security \|publisher=[[Sophos]] \|accessdate=April 26, 2012}}</ref> Its purpose is to deliver a malicious payload to a victim's computer.<ref name="Howard2.3.4">{{cite web \|url=http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-14/ \|title=Exploring the Blackhole exploit kit: 2.3.4 Payload \|last1=Howard \|first1=Fraser \|date=March 29, 2012 \|work= Naked Security \|publisher=[[Sophos]] \|accessdate=April 26, 2012}}</ref> The supposedly Russian creators use the names "HodLuM" and "Paunch".▼ ▲The '''Blackhole exploit kit''' iswas, ~~currently{{When\|date=March~~as ~~2013}}~~of 2012, the most prevalent [[web threat]], where 2829% of all web threats detected by [[Sophos]] and 91% by [[AVG (software)\|AVG]] are due to this [[exploit kit]].<ref name="Howard4.1">{{cite web \|url=http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-14/ \|title=Exploring the Blackhole exploit kit: 4.1 Distribution of web threats\|last1=Howard \|first1=Fraser \|date=March 29, 2012 \|work=Naked Security \|publisher=[[Sophos]] \|accessdate=April 26, 2012}}</ref> Its purpose is to deliver a [[Malware\|malicious]] [[Payload (computing)\|payload]] to a victim's computer.<ref name="Howard2.3.4">{{cite web \|url=http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-14/ \|title=Exploring the Blackhole exploit kit: 2.3.4 Payload \|last1=Howard \|first1=Fraser \|date=March 29, 2012 \|work= Naked Security \|publisher=[[Sophos]] \|accessdate=April 26, 2012}}</ref> ~~The~~According ~~supposedly~~to ~~Russian~~[[Trend ~~creators use~~Micro]] the ~~names~~majority of infections due to this exploit kit were done in a series of high volume [[Spamming\|spam]] runs.<ref name="~~HodLuM~~Oliver-at-al">{{cite web \|url=http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_blackhole-exploit-kit.pdf \|title=Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs \|date=July 2012 \|publisher=[[Trend Micro]] \|accessdate=October 15, 2013}}</ref> The kit incorporates tracking mechanisms so that people maintaining the kit know considerable information about the victims arriving at the kit's [[landing page]]. The information tracked includes the victim's country, [[operating system]], browser and which piece of software on the victim's computer was exploited. These details are shown in the kit's user interface.<ref name="~~Paunch~~Jones-BlackHat">{{cite web \|url=http://media.blackhat.com/bh-us-12/Briefings/Jones/BH_US_12_Jones_State_Web_Exploits_Slides.pdf \|title=The State of Web Exploit Kits \|date=August 2012 \|publisher=[[Black Hat Briefings]] \|accessdate=October 15, 2013}}</ref> ~~== Basic summary of how Blackhole works ==~~ ==History== Blackhole exploit kit was released on "Malwox", an underground Russian hacking forum. It made its first appearance in 2010.<ref>{{Cite web\|url=https://krebsonsecurity.com/2013/12/meet-paunch-the-accused-author-of-the-blackhole-exploit-kit/\|title=Meet Paunch: The Accused Author of the BlackHole Exploit Kit — Krebs on Security\|website=krebsonsecurity.com\|date=6 December 2013 \|language=en-US\|access-date=2018-03-30}}</ref> The supposedly Russian creators use the names "HodLuM" and "Paunch". It was reported on October 7, 2013 that "Paunch" had been arrested.<ref name="SecurityWeek4.3">{{cite web \|url=http://www.securityweek.com/blackhole-exploit-kit-author-paunch-arrested-reports \|title=Blackhole Exploit Kit Author "Paunch" Arrested \|date=October 8, 2013 \|publisher=Security Week \|accessdate=October 15, 2013}}</ref> Dmitry "Paunch" Fedotov was sentenced to seven years in a Russian penal colony on April 12, 2016.<ref>{{Cite web\| url=http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-years/ \| first=Brian \| last=Krebs \| author-link= Brian Krebs \| title='Blackhole' Exploit Kit Author Gets 7 Years \| publisher=Krebs on Security \| date=April 14, 2016 \| accessdate=April 20, 2016}}</ref> ==Function== # The customer licenses the Blackhole exploit kit from the authors and specifies various options to customize the kit. # A potential victim loads a compromised web page or opens a malicious link in a ~~spadmmed~~spammed email. # The compromised web page or malicious link in the spammed email sends the user to a Blackhole exploit kit server's landing page. # This landing page contains obfuscated [[JavaScript]] that determines what is on the victim's computers and loads all exploits to which this computer is vulnerable and sometimes a [[Java (software platform)\|Java]] [[applet]] tag that loads a Java Trojan horse. # If there is an exploit that is usable, the exploit loads and executes a payload on the victim's computer and informs the Blackhole exploit kit server which exploit was used to load the payload. == Defenses ~~against the Blackhole exploit kit~~ == {{How-to\|section\|date=May 2025}} A typical defensive posture against this and other advanced malware includes, at a minimum, each of the following: * Ensuring that the browser, browser's plugins, and operating system are up to date. The Blackhole exploit kit targets vulnerabilities in old versions of browsers such as [[Firefox]], [[Google Chrome]], [[Internet Explorer]] and [[Safari (web browser)\|Safari]] as well as many popular plugins ~~like~~such as [[Adobe Flash]], [[Adobe Acrobat]] and [[Java (programming language)\|Java]]. * Running a security utility with a good antivirus ''and'' good [[Intrusion prevention system\|host-based intrusion prevention system]] (HIPS). Due to the [[polymorphic code]] used in generating variants of the Blackhole exploit kit, antivirus signatures will lag behind the automated generation of new variants of the Blackhole exploit kit, while changing the algorithm used to load malware onto victims' computers takes more effort from the developers of this exploit kit. A good HIPS will defend against new variants of the Blackhole exploit kit that use previously known algorithms. ==See also== ~~== First Release on the Internet ==~~ * [[Backdoor (computing)]] ~~Blackhole exploit kit was released on "Malwox", an underground Russian hacking forum.~~ * [[Botnet]] * [[Computer virus]] * [[Exploit (computer security)\|Exploit]] * [[HackTool.Win32.HackAV]] * [[MPack (software)]] * [[Spyware]] * [[Trojan horse (computing)]] * [[DarkComet]] – (Trojan / RAT) == References == {{reflist}} ~~<references />~~ *{{cite web \|url=http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/ \|title=Exploring the Blackhole exploit kit \|last1=Howard \|first1=Fraser \|date=March 29, 2012 \|work=Naked Security \|publisher=[[Sophos]] \|accessdate=April 26, 2012}} {{Malware-stub}}▼ [[Category:Trojan horses]] [[Category:Malware toolkits]] ▲{{Malware-stub}}