Trend Micro details some of the changes made to the notorious exploit kit

Feb 12, 2013 20:21 GMT  ·  By

In January, Trend Micro experts detailed the most significant differences between the older and the newer versions of the notorious BlackHole exploit kit.

One noteworthy finding is that BlackHole 2.0 doesn’t use the 8-character-long random strings for URLs. Instead, the latest spam campaigns use four different types of URLs.

First, there are WordPress URLs, which show an HTML file stored in the “wp-content” directory (this is where WordPress themes are hosted) of a website. However, experts warn that WordPress themes are not HTML files, so when users see such URLs, they should immediately know that something is off.

The second types of URLs are the ones that use a dictionary word as the directory name. They look something like this: {compromised site}/{dictionary word}/index.html.

This is similar to the earlier formats, but because a dictionary name is used instead of a random string, it’s more difficult for a user to establish if the link is legitimate or not.

Other links used in BlackHole spam runs use dictionary words for the file name: {compromised site}/{dictionary word}.html.

The fourth types of URLs used by cybercriminals are not actually URLs. In certain cases, the attacker attaches an HTML file to the spam email. When it’s opened, the file redirects the victim to the exploit kit.

For the redirection pages, cybercriminals usually turn to hacked websites or domains that they've registered for free. This tactic makes the campaign more efficient because it’s not so easy for security solutions to identify the threat if legitimate domains are used.

On the bright side, Trend Micro says that the free webhosting providers whose services are abused by cybercriminals are doing a decent job of taking down the malicious domains. Furthermore, experts have found that the number of abused sites has dropped significantly over the past period.