Security Experts:

Connect with us

Hi, what are you looking for?



Black Hole Dominates on the Web

Last week, Microsoft released the latest Microsoft Security Intelligence Report (SIR), which provided some interesting empirical insight into malware and how it is distributed on the Internet.

Last week, Microsoft released the latest Microsoft Security Intelligence Report (SIR), which provided some interesting empirical insight into malware and how it is distributed on the Internet. The headline of the SIR focused on the strong correlation between malware and downloads of software, music, and movies. That finding shouldn’t come as much of surprise to those in the security field, as unlicensed content and cracked software has been a mainstay of malware for years.

What was a bit more interesting was the data showing the broad impact of the Black Hole exploit kit in terms of its role in the delivery of threats. Black Hole is a very popular exploit kit that an attacker can use to build a malicious web page capable of infecting users who visit the page. Once the user is exploited, malware is delivered to the infected user as a drive-by-download. This scheme is the classic example of the inter-relationship between exploits and the spread of malware. Exploits soften up the target, which is then infected with malware, and all of it happens in real-time over a web connection.

Of course, this kit and technique are exceedingly well known in the industry, but it was interesting to see just how quickly it has become one of the dominant forces in the delivery of exploits and malware.

The impact of Black Hole can be tracked using a variety of metrics in the SIR. First, the Microsoft analysis indicates Black Hole as being one of the leading sources of exploits observed by end-user machines. Figure 9 (below) from the report shows a massive increase in the number of HTML/JavaScript over the past year, which was “primarily driven by the continued prevalence of Blacole”. Of interest, Black Hole has become the leading source of end-user exploits, and without an obvious drop in other categories. In short, these are additional new exploits in the wild.

Different Types of Exploits

Microsoft Security Intelligence Report Volume 13

In addition to leading the charge in exploits, Black Hole was a leading source of malware infections as well. The Microsoft analysis used a set of six tracking files to identify user machines that had participated in the insecure download of movies, music and applications. When the researchers analyzed these users it was found that Black Hole was one of the leading malicious sources of additional malware infection, second only to Win32/Autorun worms.

This analysis provides some hard numbers to support what many in the industry have observed over the past few years. Namely that the life of exploits and malware are increasingly inter-related, and that the web is increasingly the vector of choice for delivering malware. This underscores the need to extend malware controls to any and all networked applications, and not just email.

Secondly, this supports the notion that IT teams need to incorporate this information into how employees are trained. Many employees are trained on the basics of how to identify phishing attempts, and not to open untrusted attachments. However, in the case of Black Hole, the user likely will never see a file at all. They will simply visit a page and the exploit and resulting malware download will happen in the background. While network-based IPS, anti-malware and drive-by-download protection should be used as security controls, employees also need to know that there are direct consequences to even visiting high-risk websites, such as sites that provide free downloads of media and applications.

Ultimately, the shift of malware to the web requires us to update our thinking both as users and security architects. The data shows that the change is already well underway, and now it is up to us in the industry to make sure users are protected.

Related: Black Hole Exploit Kit Gets an Upgrade

Related: Oracle Java Vulnerability Exploit Rolled into BlackHole Kit

Related: Cryptome Hit by Blackhole Exploit Kit

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.