Blackhole 2.0 Exploited to Push Advertisements

The popular Blackhole Exploit Kit has gained a lot of media attention recently when its author announced the imminent release of version 2.0, boasting a list of  new interesting features. Recently we were very surprised when we found a website hosting what is supposed to be version 2.0 of the Blackhole Exploit Kit. Naturally, we started investigating and soon discovered that something about the website was not right.

Figure 1. The (suspicious) statistics page of the exploit kit

Looking at Figure 1, you can see a label at the bottom of the page clearly saying Blackhole v.2.0, but apart from this difference, the rest of the page looks very similar to the old version:

Figure 2. The statistics page of the old version of the exploit kit

The main content section of both pages is the same. However, at the top of the “new” version (Figure 1) there is a light blue table containing some Russian text in the area where the Blackhole menu should be. The text roughly translates to:

Advertising: [REMOVED] - service encryption iframe / javascript code.
Advertising: Dedicated servers in its own data center in Syria under any projects. Experience 6 + years in the market. Quality sounds! ;-)
Advertising: Unique service domain registration packs. Under any topic. Fast, comfortable, safe. [REMOVED]

It is now clear that this page is merely using the Blackhole 2.0 name as bait in an attempt to lure users into visiting the page and reading the advertisements. This method is not new; spammers often use names of famous people and products or the latest news events to try to lure users into reading their spam emails. However, it is quite unusual to see a popular exploit kit name used in this manner.

So what is being advertised? A service for registering domain names, one for server hosting, and another for encrypting JavaScript and iframes. Altogether these services could offer cybercriminals a complete infrastructure to be used for hosting cybercrime operations. In fact, the website advertising encryption and the one advertising domain registering are both well known for providing infrastructures aimed at "dirty ops."

Further indications of this Blackhole Exploit Kit 2.0 page being forged include:

  • The name of this page is bhstat.php, which is a known file name of the old version and is accessible without authentication.
  • No other known Blackhole PHP page seems to be present on that website.
  • The Exploits section (ЭКСПЛОИТЫ in the image) conveniently reports a Java pack, which was also mentioned in the description of version 2.0, published by the exploit pack author.

In conclusion, the page is not the new Blackhole Exploit Kit 2.0; it is a rehashed version of the current Blackhole Exploit Kit page, pretending to be the new one. The people behind this page do not have version 2.0, they more than likely have nothing to do with Blackhole and are only trying to advertise their services by exploiting a well-known name to gain attention. Their targets are clearly cybercriminals who would be interested in using an exploit kit and who would need an infrastructure for hosting it.

I wonder if the Blackhole author will file a copyright complaint!