According to release announcement on Pastebin by unknown developers in a Russian-language BlackHole Exploit Kit 2.0 released with more latest Exploits. BlackHole is one of the most dominant exploit toolkits currently available in the underground market. It enables attackers to exploit security holes in order to install malicious software on victim's systems.
The new variant doesn’t rely on plugindetect to determine the Java version that’s installed, thus speeding up the malware download process. Old exploits that were causing browsers to crash and “scary visual effects” have been removed.
The exploit kit is offered both as a "licensed" software product for the intrepid malware server operator and as malware-as-a-service by the author off his own server.
Some interesting claims by developer about new version:
- prevent direct download of executable payloads
- only load exploit contents when client is considered vulnerable
- drop use of PluginDetect library (performance justification)
- remove some old exploits (leaving Java atomic & byte, PDF LibTIFF, MDAC)
- change from predictable url structure (filenames and querystring parameter names)
- update machine stats to include Windows 8 and mobile devices
- better breakdown of plug-in version information
- improved checking of referrer
- block TOR traffic
Finally, a number of “private tricks” have been implemented, which the author prefers to keep a secret because he fears that competitors and antivirus companies are “sneaking around.” The developer offers a one-day rental of capacity on his server for as little as $50, up to a month-long lease for $500 (with larger fees for traffic over 70,000 web hits per day).
For those who want to run their own BlackHole server, licenses start at $700 for a 3-month license (which includes software support) and range up to $1,500 for a full year, plus $200 for the multidomain version. For those who want to cover their tracks, a site clean-up package comes priced at $300.