Trend Micro analyzes the evolution of the notorious exploit kit

Feb 1, 2013 21:11 GMT  ·  By

BlackHole Exploit Kit 2.0 has been out for quite some time now, but experts note that most of the improvements have been implemented to evade the efforts of security researchers.
 

“The changes to Blackhole spam runs were done largely to evade the efforts of various security researchers. As far as end users are concerned, the threat largely remained the same, as the spammed messages themselves still leveraged organizations and popular websites for its social engineering tactics,” Trend Micro experts explained.

“It is clear that the cybercriminals behind these attacks are aware of the efforts being made to shut them down, and are responding to try and evade these efforts via the inclusion of new features and upgrades in Blackhole Exploit Kit.”

More precisely, BlackHole 2.0 doesn’t use the 8-character-long random strings for URLs. These strings helped researchers monitor websites connected to certain spam campaigns.

The fact that the infection chains for BlackHole 2.0 are different for each web browser also complicates the work of experts because there are more test cases.

Another difference, compared to BlackHole 1.x, is that now there are more spam runs, but each one of them is smaller. This way, the overall volume of spam remains the same, but the scope of each attack decreases.

Trend Micro believes that this, along with the different browser infection chains, might represent an attempt to lower the profile of cyberattacks.

An interesting evasion tactic, deployed for a short while by the attackers, was to change landing page domains very quickly. This made it really difficult for security researchers and vendors to keep track of an attack.

However, it also made things more difficult for the attackers, so cybercriminals have dropped this tactic.