MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

30.9.10

Black Hole Exploits Kit. Another crimeware in addition to criminal supply

Crimeware industry continues to grow through the development and implementation of new marketing packages pre-compiled exploits add to the supply of alternatives to facilitate criminal maneuvers over the Internet.

In this case, it's Black Hole Exploits Kits, a web application developed in Russia but also incorporates for the English language interface, and the first version (beta at the moment) is trying to fit into the black market since early September 2010. Its cost is determined based on a number of features that attempt to differentiate from the rest.

Black Holes Exploits Kit statistical module
This module offers a quick view of the most relevant information for a botmaster: number of computers that are part of the network and their respective countries, exploits with higher success rates and other information processing.

Unlike many other crimeware of this style, Black Hole Exploits Kit uses a licensing system costed time. For example, purchasing this crimeware for 1 year (currently the maximum time) costs $ 1500, while a semi-annual and quarterly license, costing $ 1000 and $ 700 respectively.

Statistics on the affected operating systems
The trend marks a slight but gradual increase in committed operating systems that do not belong to the family of Microsoft. This includes crimeware *NIX based platforms such as GNU/Linux and Mac OS. Others, such as Siberia Exploit Pack and Eleonore Exploits Kit includes platforms for high-end mobile devices and gaming consoles.

It also has costs of $ 50 for the alternative of using the encryption system. This feature is a pattern for the service "extras" offered by the developers of crimeware, like the ability to verify the integrity of malware (AVChecker) spread through crimeware.

To carry out this verification, is used more often VirTest, the private service of Russian origin that has become a favorite of criminals to control the reputation not only malware but also spread exploits of the pack. There are several crimeware packages that have recently joined VirTest module, including the latest version of SpyEye.

As for the exploits, which incorporates all of the time are public and widely used by most current crimeware. However, these exploits have the highest rate of success in exploitation.

Statistics exploits
Through this module displays the statistical data on the ability of success that has every one of the exploits that are part of crimeware.

Black Hole Exploits Kit includes a TDS (Traffic Direction Script) that allows independence from another web application that allows arbitrarily manipulate web traffic, and probably this feature will catch the attention of criminals.

Also has a self-defensive module means which can block access to certain security websites by URL or IP address ranges. In the next image is set to block access to websites Kaspersky Antivirus:

Self-defense module
Through this module can also import or export a list of addresses to block.

Black Hole Exploits Kit joins the portfolio of offerings and little more than a month since its launch in underground environments no more activity In-the-Wild, perhaps due to its initial cost. However, security professionals should pay special attention to this crimeware as their characteristics and cost (probably decrease slightly for the next version) will be well accepted within the criminal community and therefore in demand by of offenders.

Related information
 
Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

23 comentarios:

Anonymous said...

Re this Exploit Blackhole Exploit Kit (type 1889): I have had AVG AntiVirsus stop two different file names: one - cvi2.co.cc/index.php?tp=AE63b0732f49eaa2 and two - fj42.co.cc/index.php?tp=993b80a2f5976635. Both were stopped on two different websites. The first one was stopped when I was downloading from "somud", the second I was reading news on a Yahoo page. A search of the files in my PC showed nothing but AVG did put both of them into quarantine where I left them. Very little info about this on net. I continue to run malware software very frequently.

Anonymous said...

i am looking for that as well. My avg jsut blocked the same thing .. so far all I can find is it does hijack your system and was developed in Russia. Searching on AVG U find nothing.. Im going to FB avg and see if I can get an awswer .My I suggest that you do the same .Good luck

Anonymous said...

Well, i suggest everyone to lookout. Just got it too.

Anonymous said...

Just received message that my AVG blocked one of these viruses. Well done AVG, but how long will it last?

Anonymous said...

got it on FB too...are you supposed to download a fix?

Anonymous said...

i just got exploit black hole exploitkit (type1889) blocked to by a v g reading hotmail,what does this thing do!!!!.

Anonymous said...

I was trying to access one of my OWN files which I have uploaded to MediaFire.com when I got this AVG message about "Exploit Blackhole Exploit Kit (1889)". I also noticed I had a pop-up in the background from My-Quickpay.com. I suspect THIS is the culprit in my case.

Anonymous said...

It's happened twice to my computer...first time a couple days ago and then again today. AVG locked up everything and blocked it. Both times I was in Hotmail. Both times it said ".....(type 1384)" But then when I clicked on "further information" and went to AVG's site I got no info. Their early suggestions on their warning didn't produce any search results. And somewhere in their various warnings the type changed to "Type 1889"...I think. For now AVG seems to be blocking this...and a full scan found nothing. I'll also run a full scan with my firewall and then MS Defender.

Anonymous said...

OK, It just happened again. That makes the third time (I have the post above from 3/7)
I copied the AVG Threat Warning:

"Danger: AVG Active Surf-Shield has detected active threats on this page and has blocked access for your protection.
The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.

URL: vfg2.co.cc/index.php?tp=99e7406f9ea3a77f
Name: Blackhole Exploit Kit (type 1384)"

I've run several full AVG scans and nothing turns up. Plus I've run full scans with Windows Defender, MalWareBytes, and Outpost Firewall. All came up clean and my system seems to run fine so I believe AVG's blocking worked. I'm posting this for everyone's information and perhaps it will help someone irradicate this threat.
All 3 times I was on Hotmail's site. This time I had just sent a rather long email. I was no longer composing or in any specific file..just on a general page after sending. I think the same thing was the case the previous two times.

Anonymous said...

The panel access is in vfg2.co.cc/adm.php

Karen said...

I just got the same thing today while in Hotmail. AVG said it was blocked, and I can't find it anywhere in my hard drive, but it also doesn't show up in the virus vault on AVG. So, how can you find out if you're infected or not?

Anonymous said...

Same messages, as soon as i go start a brower my system is hijacked by local and network services that run off to seemingly random mundane consumerist pages, leaving loads of tracker cookies and clutter, pages of garbage left behind. it shows itself under the processess tab in task manager by way of a hyper svchost.exe file. Ending the process from here frees up the resourses and it goes dormant for a time. I will be wiping my drives immediately as I believe it is writing itself around and I think I should kill this now. browser was also opening randomly to facebook ish page with facebook disclaimer

Anonymous said...

I've got it with Somud, 1889 Blackhole, and blocking and with a scan nothing.. but remains: how to get rid of it?

Jonathan said...

24-03-11

3 things have happenend in last 24 hours: - had phone call from abroad claiming to be a Microsoft approved company and trying to get me to open Teamviewer to help sort out an infection on my computer that had been detected ( I didn't);
Whenever i am on Google homepage and press enter it goes to "blank page"; ran AVG, SpyBot, Malware byte - nothing found; just had AVG Alert saying Threat was blocked when I tried to access Spotify - "Exploit Black hole Exploit Kit (type 1889" . What's going on please?

Anonymous said...

Just had three of these come up myself, from "apotek-keluarga.com" - three different pages of whatever this site is. Exploit Blackhole Exploit Kit (type 1380). No idea what it was, I was on YouTube at the time.

Anonymous said...

I had AVG stop two ... M23m.in/index.php?tp
64.247.180.8/Home/in

Anonymous said...

It's people that work at Google!

Anonymous said...

I had a similar condition while browsing in IE 8. AVG pro reported
"mve4.co.cc/track.php?lp=80eabe9c8dc0fbbb
Exploit Backhole Exploit Kit(type1889)
Process name: C:\Windows\System32\svchost.exe
ID:1872
Virus scan did not find anything. Adaware free found nothing. Now one day later Windows XP will repeatedly cycle the restart but will not start even in safe mode it continues to cycle the restart until I power off. Stuck for now on restart.

Anonymous said...

http://docs.google.com/viewer?a=v&q=cache:j6Y3dmcv8F4J:www.f-secure.com/weblog/archives/The_Case_of_TDL3.pdf+TDL3&hl=nl&pid=bl&srcid=ADGEESgp00PXmgHwciOM-Vq9EaPYpTfDUtF4nogSG0swx10-R3uOzeZ1a54e6tbBqEY3AgmZvHifHBjk8TO6sDPUAlzU-ivgNBs4yEplH_wKe1uk85DEwbewd6ABqQ3eoLFVT9W0rWFE&sig=AHIEtbR_K4Rt7apPxmcsSPTF71nIewaLUw

Working of the virus...

Anonymous said...

I have a theory about the 'Blackhole' virus which AVG is supposedly blocking. I think that it is a form of malware posing as a respected antivirus software (In this case- AVG).
I have to admit, it's pretty convincing, but as the REAL AVG programme and website have no information about 'black holes' I can only assume it's a malware posing as AVG (Just like other malwares pose as the windows antivirus software)
I'm currently running an antimalware programme as I type this, then I'm going to do that windows savepoint thing- where your computer goes back to a savepoint before you downloaded any harmful material. I always forget what it's called.
good luck everyone with removing this thing, but I can only assume it's another malware.
-A

Anonymous said...

I was right. It IS a form of malware.
I recommend downloading or using a good anti-malware programme, then running 'system restore' and setting your computer back to an earlier checkpoint.
Worked like a charm for me and so far have had no more 'black hole' warnings or webpage redirections.
Best of luck getting rid of this everyone!
-A

Anonymous said...

Multiple people here in Holland got the same shit the past 4 days, is this a new breakout ? I'm trying to find where it's coming from since some of our company's systems are infected too.

Anonymous said...

Hi men, you have some urls? Maybe, I can help you.

Post a Comment