According to research from Symantec and Sophos, the Blackhole exploit kit has been upgraded with some new features recently. The latest revision includes a payload that targets an unpatched vulnerability in Microsoft XML Core Services , and new JavaScript that addresses propagation issues. Unfortunately, the changes prove once again that the criminal economy online is alive and well.
Blackhole is just one of the many crime kits available on the Web. Cybercriminals using it will typically compromise a legitimate site, usually one that is running outdated version of WordPress or osCommerce for example, and wait for visitors to arrive for their delivered infection. The kit itself targets vulnerabilities in common third-party software, such as Java, Adobe’s Reader or Flash, and Microsoft’s Internet Explorer.
“When an innocent user browses to a Blackhole-infected site, their browser runs the JavaScript code, which typically creates a hidden iframe, which silently exploits vulnerable browser plug-ins and drops any malware and exploits onto a users system,” Symantec explains.
However, recent versions of the kit have patched a known flaw, which often left a potential victim safe from harm if the criminal running a Blackhole domain got lazy or was clueless.
“If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical. To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains, based on the date and other information, and then creates an iframe pointing to the generated domain,” Symantec added.
Moreover, the kit’s recent upgrade also added a new attack. According to Sophos, sometime in early June Blackhole was updated to include an attack that targets a flaw in Microsoft’s XML Core Services, which remains unpatched. However, Microsoft has released a FixIt tool that will help mitigate the vulnerability.
If there is any positive light to place on these developments, it is that the newest exploit and upgraded JavaScript are only deployed in limited cases. Yet, this has led to speculation that the changes are part of a larger upgrade test, so their limited availability may have a shot shelf life in its own right.
Related Feature: Black Hole Exploit – A Business Savvy Cyber Gang Driving a Massive Wave of Fraud
