Update: This article has been updated for clarity.
The internet’s biggest advantage and its greatest disadvantage is its ability to spread information quickly. Most of the time, the information shared is beneficial, however criminals use that same instant spread of information to pass hacking tools. The Blackhole exploit kit is such a resource, and it’s a hacker’s paradise. Sophos has called it “the world’s most popular and notorious malware exploit kit” and reports it accounts for 28% of all web threats.
We in the industry need to pay attention because the United States hosts the largest amount of Blackhole exploits in the world. That means your users are more likely to visit a website and become infected without knowing which may allow a hacker to access your most vital data. It’s critical that you understand the various attack methods someone can use to exploit vulnerabilities when coworkers surf the internet with your computers, and Blackhole is currently the most prevalent and most successful.
What Is The Blackhole Exploit Kit?
The kit is a collection of browser exploits that take advantage of your browser’s vulnerabilities to infect your computer with malware. By landing on an infected website or clicking on an infected link through an email, a Trojan horse is executed. The components used to exploit you are Java, Flash, and PDF content.
First released in 2010 and updated earlier this year, it was created by a known Russian hacker who goes by the name of HodLum. In a unique twist to a common trend, instead of selling the tools, the creators of Blackhole mostly license it through what they call “malware-as-a-service.” After being vetted through the underground hacking community, you may rent the kit on your servicer for one week for $200.
Unlike other kits, Blackhole’s notoriety is not only in its abilities to compromise your computer, but in the ways it protects itself. To begin with, the rental business model makes it difficult for antivirus companies to defend against it as it isn’t found in a single public location. The kit also uses a polymorphic code that is constantly regenerated. This makes it hard for antivirus software to keep up with it. In version 2.0, the creators have gone to even more trouble to obscure it. First, the new addition allows hackers to keep an IP blacklist. This allows users of Blackhole to keep track of anyone visiting an infected URL hosting the binary. Secondly, users can now create their own URLs instead of relying on standard ones. This makes it extremely difficult to identify the kit.
Defend Yourself
This threat is very dangerous and almost invisible to common users. However, there are two cybersecurity ways to defend your agency:
- Blackhole exploits older versions of browsers and plugins like Flash and Java so keep your plugins and browsers up to date.
- Install antivirus software that delivers host-based intrusion prevention system. Symantec offers such a product. Visit its Critical System Protection site for additional information and an informative video.