Level 85
Staff member
Sophos said:
Yesterday there were reports of an announcement that a new version (v2.x no less) of Blackhole exploit kit is on its way.

Blackhole is arguably the most successful exploit kit we have seen over the past couple of years, and we have described it in detail before (v1.x). The opening paragraph sets out what appears to be the main aim of the new version - improve how well they evade security measures:

Are pleased to welcome you to a brand new version of the bundle of exploits. For more than 2 years of existence of our project, the old engine arrival and ligaments badly worn, AV companies have become very quick to recognize that this kind of criteria BlackHole and flag it as malware.

Further down in the announcement are several interesting claims, some of which are summarised below:

  • prevent direct download of executable payloads
  • only load exploit contents when client is considered vulnerable
  • drop use of PluginDetect library (performance justification)
  • remove some old exploits (leaving Java atomic & byte, PDF LibTIFF, MDAC)
  • change from predictable url structure (filenames and querystring parameter names)

Read more: http://nakedsecurity.sophos.com/2012/09/13/new-version-of-blackhole-exploit-kit/