3. ► What is an exploit kit?
► Collection of exploits targeting vulnerabilities in client
vulnerabilities, targeting browsers and programs triggered by
browser activity.
► Hacking for Dummies
► Past exploit kits
► Phoenix (PEK) dates back to 2007,Siberia, Mpack, IcePack, Neosploit,
Hierarchy
► Typically fluctuating in usage and volume
► Exploits and admin relatively static
► Effectiveness declines with patching
► Attack duration limited
WHAT IS AN EXPLOIT KIT?
4. ► Top exploit families detected by Microsoft anti-malware
products in the second half of 2011 and first half of 2012, by
number of unique computers with detections, shaded
according to relative prevalence
WHAT IS AN EXPLOIT KIT?
5. ► Blackhole
► Creators of the kit are suspected to be "HodLuM" and "
► Most prevalent on the web?
► Websense 65% of all exploit detections
► AVG - 91%
► Sophos - 28 %
► Microsoft Leads other exploit families in prevalence by factor of 2
WHAT IS BLACKHOLE?
► Typically fluctuating in usage and
volume
► Exploits and admin relatively static
► Effectiveness declines with
patching
► Attack duration limited
► Usage accelerating – “King of the
Kits”
► Exploits continually added and
admin interface updated
► Addition of exploits extends
window of effectiveness
► Attack duration extended
► Typical Kit ► Blackhole
6. ► The customer licenses the Blackhole exploit kit from the authors and specifies
various options to customize the kit.
► A potential victim loads a compromised web page or opens a malicious link in a
spammed email.
► The compromised web page or malicious link in the spammed email sends the
user to a Blackhole exploit kit server's landing page.
► This landing page contains obfuscated JavaScript that determines what is on the
victim's computers and loads all exploits to which this computer is vulnerable
and sometimes a Java applet tag that loads a Java Trojan horse.
► If there is an exploit that is usable, the exploit loads and executes a payload on
the victim's computer and informs the Blackhole exploit kit server which exploit
was used to load the payload.
BLACKHOLE
8. ► Prevalence and adoption
► How do they maintain dominance?
► Rental model
► Attack vectors (exploits)
► Attack success rates
WHERE NO LIGHT ESCAPES
9. ► Obfuscation
► PHP protection
► AVChecker
► IP blocking
► Traffic Direction Script
(TDS)
► Revision history
► Blackhole 2.X
► New features
► What is next?
WHERE NO LIGHT ESCAPES
10. WHERE DO BLACKHOLES EXIST?
► Blackhole GEOIP
► 54% US
► 13.78% Russian Federation
► 6.22% Germany
► 6.4% Virgin Islands
► 2.51% Turkey
► 2.49% Poland
11. ► While past kits were sold relatively indiscriminately,
Blackhole is primarily dispersed through a rental business
model.
► If you want the kit, for the most part, you will have to pay for
the use of the hosted kit for a specific duration.
► Rentals can be for a 24 hour, month or annual timeframe.
► Other licenses are also available.
ECONOMIC MODEL
12. ► The pricing model for the first release of Blackhole
ECONOMIC MODEL
15. ► Strong similarities between iFramer code and Blackhole
code
► Similar code structures and sometimes the same algorithm used in
the obfuscation!!
ATTACKTYPES
29. ► Blackhole authors
have attempted to
protect themselves
from the theft of their
code through a
number of means.
One of which is the
rental only model,
that allows them to
maintain hosting.
RENT (AS IS)
30. ► PHP script protection with the ionCube encoder
► Prevents code stealing
► Hinders analysis
OBFUSCATION - PHP
31. ► Configuration options for all the following parameters:
► Querystring parameters
► File paths (for payloads, exploit components)
► Redirect URLs
► Usernames, passwords
► MySQL backend
► Blacklisting/blocking
► Only hit any IP once
► Maintain IP blacklist
► Blacklist by referrer URL
► Import blacklisted ranges
► Auto update
BACK-END FUNCTIONALITY
32. ► Management console provides statistical summary, breaking down
successful infections by:
► Exploit
► OS
► Country
► Affiliate/partner (responsible for directing user traffic to the exploit kit)
► Browser
► Targets a variety of client vulnerabilities
► AV scanning add-ons (through the use of two scanning services,
available as optional extras of course, this is business!)
► Advertisements for additional underground services
MANAGEMENT CONSOLE
37. ► Historically, kits change their obfuscation techniques only
on version releases
► Blackhole seems to change its obfuscation, on average, every two
months!
OBFUSCATION -TIMELINE
December 2010
February 2011
March 2011 Changed 3 times!
April 2011
July 2011
September 2011
December 2011
February 2012
May 2012
June 2012
October 2012
41. HISTORY OF REVISION RELEASES
Version Release
1.0 August 2010
1.0.2 November 2010
1.1.0 June 2011
1.2.0 November 2011
1.2.1 December 2011
1.2.2 February 2012
1.2.3 March 2012
1.2.4 July 2012
2.0 September 2012
45. ► New rates:
► Rent on our server:
► Day rental - $50 (limit traffic 50k hits)
► Week rental - $200 (limit traffic 70k hits a day)
► Month rental - $500 (limit traffic 70k hits a day) if needed, traffic limit can
be raised for the additional fee
► The license for your server:
► License for 3 months $700
► The license for six months $1,000
► License for 1 year $1500
► Multidomain bundle version
► $200 one-time fee for the duration of the license (not binding to the
domain and the ip)
► Change of the domain on the standard bundle version - $20
BUY 2 GET ONE FREE!
47. ► New features:
► Updated admin tools
► Short-term URLs - random-domain generation feature
► a dynamic URL, which is valid for a few seconds, you need
only to one victim at a time
► Software Version - determines which versions of Java or Acrobat
Reader are running on client
► is very useful for evaluating the quality of traffic and to monitor the
the right version of the plugin
► Prevent direct download of executable payloads
► Only load exploit contents when client is considered vulnerable
► the plug is not vulnerable, exploits not issued, and not get in
detection loop
ALL NEW FEATURES
48. ► Drop use of PluginDetect library
►
► Remove some old exploits (leaving Java atomic & byte, PDF
LibTIFF, MDAC)
► Update machine stats to include Windows 8 and mobile
devices
► order to see how much of your traffic is mobile, and mobile
traffic, you can redirect to the appropriate affiliate
MORE!
49. ► Improvements include several things designed to make it
harder for researchers to harvest content from the exploit
sites:
► Change from predictable url structure (filenames and querystring
parameter names)
► Improved checking of referrer
► Ban unnecessary referrers
► Block bots
► Block TOR traffic
IMPROVED EVASION
52. OBFUSCATION IP RECORDING
► Making a better Blackhole
► Defalt IP block list containing ToR
nodes and research IP
► Continues to collect after the
campaign assuming traffic is
exclusively researchers
►
put the record mode, and all
reversers and bots that run on
53. ► Java Run-Time Environment 0-day
vulnerability (CVE-2012-4681) was
actually first discovered in a kit.
(Gondad).
► Incorporated into Blackhole within
a week.
COMESWITH A 0-DAY BONUS!
54. ► The Blackhole kit owners quickly
incorporated the Java Run-Time
Environment vulnerability (CVE-
2013-0422).
COMESWITH A 0-DAY BONUS!
► It took them one day to do it.
55. ► Remember the rental costs?
► Compare to (estimated) price of zero day:
COMESWITH A 0-DAY BONUS!
57. ► The future of Blackhole
► Ongoing updates to obfuscation
► Zero Day integration
► Two in three months time
► From POC
► Purchased from market
► Evolution of premium kits
GRAVITATIONAL COLLAPSE
We are setting aside a $100K budget to purchase browser and browser plug-in
vulnerabilities, which are going to be used exclusively by us, without being released to
public (not counting the situations, when a vulnerability is made public not because of
us).
Not only do we purchase weaponized (ready) exploits, but also their descriptions and
proof of concepts (with subsequent joint work with our specialists).
58. ► Is Cool the next Blackhole?
► Same developer?
ABSOLUTE ZERO F
CVE-2011-3402
CVE-2012-5076
CVE-2011-3402
CVE-2012-5076
Paunch acknowledged being
responsible for the Cool kit, and
said his new exploit framework
costs a whopping $10,000 a
month. – Krebs on Security, Brian
Krebs
59. CIRCLETHEN MERGE
► From Redkit to CritXpack, success in the
underground markets seems to be spawning the
opportunity for others to create their own kits.
61. ► Most prevalent threats to desktop environments are mass
attacks, typically over the web
► Attacks such as exploit kits occur all the time and typically use old
exploits with success!
► Windows is most targeted platform due to popularity
► The growth of mobile devices will make mass mobile attacks
a natural progression
► Multiple versions of Android in the market is a larger attack surface
for old vulnerabilities!
► Rooted devices may not need privilege escalation
MASS MOBILE COMPROMISES