Tag Archives: phoenix

Crimeware Exploit Packs/Exploit Kits

I just wanted to put up a blog posting on some research I’ve been doing on exploit kits.  I have not seen or used these kits before, so this is all 2nd hand information, but I find the entire concept interesting.  Especially that there appears to be such a big market for them.

I will use the example of Blackhole, which appears to be the most prolific exploit kit.  Others include Nuclear Pack, Phoenix, and Cool.

Basics Steps of Getting Infected by an Exploit Kit

  1. A hacker compromises a legitimate website and injects bad code.  This bad code redirects users to a Blackhole page.  Another way could be through e-mail; you get SPAM, click on a link, and you end up on a Blackhole page.
  2. The Blackhole page determines your plugins (by PluginDetect) to determine your OS and any out of date plugins.
  3. Depending on what you appear to be vulnerable to, you’ll be served a bad PDF, Java applet, or Flash file to exploit the vulnerability.
  4. Depending on the Blackhole customer’s preference, you’ll receive a payload of Zeus, Fake AV, or another malicious program.

Interesting Tidbits on Exploit Kits

  • These are sophisticated programs for generating revenue for the author.  It is not just a ragtag bit of programming.
  • You pay a fee to use the exploit kit.  They are rented, not purchased.  Blackhole costs $1500 per year, or the more sophisticated Cool (by the same guy as Blackhole) costs $10,000 per month.
  • Everything is obfuscated.  The Blackhole PHP source code (by ION), the Javascript served up, and I believe even the payloads change with regularity.  The domains seem to rotate quite often as well.  This makes it very hard to detect.
  • There is lots of “phone home” action that goes on.  Updates come down regularly.  You can even get a referral code to be paid as the spammer/hacker that got someone to the Blackhole page in the first place.
  • These kits seem to be mostly foreign.  Blackhole is Russian, and I believe much of the documentation is in Russian.

Some great references for exploit kits:

Very detailed analysis of Blackhole: http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-2/
Blackhole and Cool: http://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/
Example of new exploits found in exploit kits: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/