Sophos Labs Principal Researcher Gabor Szappanos has released an interesting technical paper that details the notorious BlackHole exploit kit.BlackHole has been around for quite some time now and judging by the fact that we keep seeing new versions, it’s unlikely that cybercriminals will stop using it to distribute malware anytime soon.
The paper details the evolution of BlackHole, its source code, the control panel, encryption and its origins.
According to the researcher, there’s a lot of evidence to support the theory that the exploit kit has been developed in Russia.
The default time zone of the installation is hardcoded to Europe/Moscow, the user interface language default is set to Russian, and the date format is set to Little Endian, which is different than the one utilized in US or China.
Furthermore, the English user interface text is less correct than the one in the Russian interface.
The complete technical paper is available here.