Blackhole: Today’s malware market leader
A close inspection of Blackhole reveals just how sophisticated malware authors have become. Blackhole is now the world’s most popular and notorious malware exploit kit. It combines remarkable technical dexterity with a business model that could have come straight from a Harvard Business School MBA case study. And, barring a takedown by law enforcement, security vendors and IT organizations are likely to be battling it for years to come.
An exploit kit is a pre-packaged software tool that can be used on a malicious web server to sneak malware onto your computers without you realizing it. By identifying and making use of vulnerabilities (bugs or security holes) in software running on your computer, an exploit kit can automatically pull off what’s called a drive-by install. This is where the content of a web page tricks software—such as your browser, PDF reader or other online content viewer—into downloading and running malware silently, without producing any of the warnings or dialogs you would usually expect. Like other exploit kits, Blackhole can be used to deliver a wide variety of payloads. Its authors profit by delivering payloads for others, and they have delivered everything from fake antivirus and ransomware to Zeus and the infamous TDSS and ZeroAccess rootkits. Blackhole can attack Windows, OS X, and Linux. It is an equal opportunity victimizer.
Between October 2011 and March 2012, nearly 30% of the threats detected by SophosLabs either came from Blackhole directly, or were redirects to Blackhole kits from compromised legitimate sites. Blackhole is distinguished not only by its success, but by its Software-as-a-Service rental model, similar to much of today’s cloud-based software. Weekly rental rates are specified (in Russian) right in the kit’s accompanying read me file, along with surcharges for additional domain services. Like legitimate vendors of rental software, Blackhole’s authors offer updates free for the life of the subscription.
Customers who want to run their own Blackhole servers can purchase longer licences. But the version of the Blackhole kit that these customers receive is extensively obfuscated. This is one of several steps that Blackhole’s authors have taken to keep control over their product. We haven’t yet seen Blackhole spin-offs from unrelated authors, though Blackhole has been aggressively updated, and other authors are borrowing its techniques.
< Back Next >