Black Hole Exploits Kit: More Crimeware

Sunday, October 03, 2010

Jorge Mieres

192a6e6df92a5ebd88de9b476fdd350d

The crimeware industry continues to grow through the development and implementation of new marketing packages, and pre-compiled exploits add to the supply of alternatives that facilitate criminal maneuvers over the Internet.

In this case, it's Black Hole Exploits Kits, a web application developed in Russia that also incorporates an English language interface, and the first version (beta at the moment) ihas been trying to fit into the black market since early September 2010.

Its cost is based on a number of features in an attempt to differentiate from the rest.

image

Black Holes Exploits Kit statistical module

This module offers a quick view of the most relevant information for a botmaster. It shows the number of computers that are part of the network and their respective countries, exploits with higher success rates, and other information processing.

Unlike other crimeware of this style, Black Hole Exploits Kit uses a licensing system costed over time. For example, purchasing this crimeware for 1 year (currently the maximum time) costs $ 1500, while semi-annual and quarterly licenses cost $1000 and $700 respectively.


image

Statistics on the affected operating systems 

The trend marks a gradual increase in committed operating systems that do not belong to the family of Microsoft. This includes crimeware *NIX based platforms such as GNU/Linux and Mac OS. Others, such as Siberia Exploit Pack and Eleonore Exploits Kit includes platforms for high-end mobile devices and gaming consoles. 

It costs $50 for the option of using the encryption system. This feature shows a pattern for the service "extras" offered by the developers, like the ability to verify the integrity of malware (AVChecker) spread through crimeware.

To carry out this verification, they often use VirTest, a private service of Russian origin that has become the favorite of criminals to control the reputation of the malware, and also spreads the exploits in the pack. There are several crimeware packages that have recently joined the VirTest module, including the latest version of SpyEye.

As for the exploits, they incorporate public and widely used current crimeware. However, these exploits have the highest rate of successful exploitation.

imageStatistics exploits

Through this module you will see displays of the statistical data on the success of every one of the exploits that are part of crimeware.

Black Hole Exploits Kit includes a TDS (Traffic Direction Script) that allows for independence from other web applications, and also allows for arbitrarily manipulated web traffic, and this feature will probably catch the attention of criminals.

It also has a self-defensive module, a means to block access to certain security websites via URL or IP address ranges. In the next image you can see it is set to block access to websites like Kaspersky Antivirus: 

image

Self-defense module 

Through this module you can also import or export a list of addresses to block.

Black Hole Exploits Kit joins plethera of offerings, and in a little more than a month since its launch in underground environments there is no more activity In-the-Wild, perhaps due to its initial cost.

However, security professionals should pay special attention to this crimeware as its characteristics and cost (which will probably decrease slightly for the next version) will be well accepted within the criminal community,  and therefore in demand by of offenders. 

Cross-posted from MalwareIntelligence

Possibly Related Articles:
17507
Vulnerabilities
Cyber Crime Crimeware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.