Security Experts:

Connect with us

Hi, what are you looking for?



Inside the Blackhole: Exploit Kit Adds Java Vulnerability

The minds behind the Blackhole exploit toolkit have updated it with an exploit targeting a recently patched vulnerability in Java.

The minds behind the Blackhole exploit toolkit have updated it with an exploit targeting a recently patched vulnerability in Java.

According to reports, CVE-2012-1723, which was patched by Oracle in June, has now been added into the mix.  The update is yet another move in the evolution in the kit, which last month added the ability to use pseudo-random domain generation to make campaigns more resilient.

Since its emergence in late 2010, the kit’s makers have made a living off a mix of Adobe Flash Player, Java and Windows vulnerabilities. Today, Blackhole is perhaps the most popular toolkit on the cyber-underground, accounting for nearly 40 percent of all toolkits detected on the Web by security firm AVG Technologies in the first quarter of 2012.

Black Hole Exploit “Blackhole is most likely popular due to the ease of upgrading the kit,” said Larry Bridwell, AVG’s Global security strategist. “It’s the most actively developed of the current exploit kits and has ‘won the day’ for that market.  The author’s willingness to step away from standard zero-day or recently patched exploits and try other vulnerabilities like the more recent Java ones has made the success rate much higher than other similar kits.  Also, the rapid update capabilities of the kit have made it very difficult for AV (antivirus) vendors to match.”

According to security researchers, prices for the kit range from as little as $1,000 to as much as $4,000. Just recently, Jason Jones, Advanced Security Intelligence Team Lead for Hewlett Packard’s TippingPoint DVLabs, said he saw an offer to rent the kit for $50 a week and $150 a month on Pastebin.

“Blackhole has some decent marketing, but two things stand out for its popularity,” he said. “The first is the availability of an older version for free around the middle of last year which let people see it in action before choosing to pay for the newer releases with more vulnerabilities – we started seeing an increase in number of Blackhole samples collected not long after that. The second is that it has some good JavaScript obfuscation to help bypass security protections that are attempting to detect the malicious payloads used to launch the attacks.

Kits like Blackhole – in addition to for-sale botnet software like Zeus and SpyEye – have reduced the barrier of entry for cybercriminals, he added.

“The exploit kits make it easier to compromise a large number of users and the botnet software allows for management / control of the compromised hosts,” he said.

Attackers are aided by slow patch deployment by users. In March, vulnerability management firm Rapid7 estimated – based on statistics mostly from their customers – that a Java patch is deployed by less than 10 percent of users within a month of being released. After two months, the number increases to roughly 20 percent.

“There aren’t any toolkits that are particularly known for being equipped with a lot of zero-day exploits,” said Liam O Murchu, manager of operations for Symantec Security Response. “The reality is that most kits typically contain only recently patched vulnerabilities. These are more than sufficient, though, as there are plenty of systems out there that do not get regularly patched.”


Related InsightBlackHole Exploit – A Savvy Cyber Gang Driving a Massive Wave of Fraud

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...