Blackhole Exploit Kit Makes a Comeback

The once-popular Blackhole exploit kit has returned, attempting to infect using old exploits but also showing signs of active development, according to researchers with security firm Malwarebytes.

Over the weekend, Malwarebytes detected attacks using older exploits for Oracle’s Java and Adobe’s Acrobat, but which attempted to deliver recently compiled malware. When Malwarebytes investigated, it found, behind the attacks, a poorly secured server that had Blackhole installed on it.

The return of Blackhole suggests that cyber-criminals may be reusing the code, which was leaked in 2011, Jérôme Segura, senior security researcher for Malwarebytes Labs, told eWEEK.

“Blackhole was well-written, and we have seen in the past, like with Zeus, that a lot of criminals do not reinvent the wheel,” he said. “They will use older infrastructure and build on top of it.”

Exploit kits are software programs used by cyber-criminals to infect victims and install malicious software. They are a basic building block for creating botnets and infecting users’ systems to steal information.

The code for both the Zeus cyber-crime kit and the Blackhole exploit kit were released in 2011 within weeks of each other. Publicly released attack code can help criminals by giving them a common software platform on top of which to innovate. The release of the code for the Zeus banking Trojan, for example, led to the release of a large number of modules that helped cyber-criminals more easily launch advanced campaigns.

In October 2013, Russian authorities arrested the alleged author of the Blackhole exploit kit, and soon after a service that provided updates to the malware shut down.

While some criminals continued to use the software, the lack of new exploits meant that its effectiveness quickly declined, as security and software firms caught up to the code and users installed patches.

“We saw that, after the author got arrested, there were still customers who tried to keep using it, but the exploits got stale because they were no longer being updated,” Segura said.

The return of the Blackhole exploit kit, installed on a server in the Netherlands, is a mystery. Portions of the program are being modified, but the current operation continues to use the same exploits, now ancient by Internet standards.

At first, Malwarebytes’ researchers thought the attack may have been a prank, Segura said. Yet, a successful compromise delivered up-to-date malware that did not have recent detections on services such as VirusTotal.

Other possible explanations exist, he said.

“It may be a trap designed to track down honeypots, which typically have lowered security settings and would not get updated as often as consumer machines,” he said. “If that were the case, their goal would be to identify security crawlers and scanners and add them to a blacklist.”

It’s unclear whether this is the rebirth of Blackhole, or a last hurrah before it disappears for good.