|Paunch notification on Exploit.in about v2.0|
Original text of the Advert ( Pastebin ) (for rough translation see at bottom - Illustration of an infection + related files in this post.)
--Google Translate-- (Pastebin )
BlackHole exploit Kit 2.0
Are pleased to welcome you to a brand new version of the bundle of exploits. For more than 2 years of existence of our project, the old engine arrival and ligaments badly worn, AV companies have become very quick to recognize that this kind of criteria BlackHole and flag it as malware. In the new version we have rewritten from scratch, and re-written from scratch is not only part of the issuance of exploits, but also the admin panel.
Of the innovations on the issue (Translation improved by Denis Laskov ):
1. Implemented maximum protection from Automatic systems for downloading exploits, used by AV companies: generate a dynamic URL, which is valid for a few seconds, you need only to one victim at a time.
2. Now, Your executable also protected from multiple downloads, AV company can not just download it, which will keep your exe as long as clean.
3. JAR and PDF exploits show only for detected vulnerable versions of plug-ins if the plug is not vulnerable,exploits not issued, and not get in detection loop.
4. We not using anymore plugindetect to determine the version of Java that will remove a lot of the bunch of extra code thus accelerating the download bundles, as well as file getJavaInfo, who ran the Java no matter of plugin version vulnerable or nor
5. Have been removed all the old exploits, giving tiny result but causing scare visual effects and browser crash, such as Flash, HCP, PDF-All ... Now the link in the admin area of the number 3 Exploit: Java Pack (atomic + byte), PDF LibTiff, MDAC (he left because he did not crash the browser, still have low-detection ratio, because we managed to clean up, and the old IE6 is still common in field)
6. In version 1. * link to malicious payload unfortunately was recognizable for AV companies and reversers, she looked this kind,. /Main.php?Varname=lgjlrewgjlrwbnvl2. The new version of the link to the malicious payload you can choose yourself, here are some examples: /news/index.php,/contacts.php and so on, now for the moment no one AV can not catch. And by default stream names when creating the flow created automatically from the dictionary with the actual words and not a random letters.
7. Issuing now given only unique users, when re-entering - its up to you to decide, what to do: it can be your HTML stub code, or redirect to your landing or any other site.
8. Now all URLs are dynamic, without permanent names for variables that could be detectable by mask, no file for exe download at all, same to the JAR, now all that required is original path, which victim was pointed to.
Developed and implemented a lot more private tricks that author prefer not to disclose in public simply not reasonable, because competitors and the AV companies always sneak around.
Of the innovations in the admin panel:
1. Captcha entered for logging on to our practice, it was not enough to break a few cases the admin panel of clients by Brutus, it should not slow down a lot of some wise men.
2. Statistics on the flow now easy to see by selecting it from the drop down menu on the home page of statistics, will also become available for quick viewing and copying the reference to guest statistics.
3. Now the admin panel will not slow down when it reaches 1-2kn cores, and generally will not slow down, the entire load is distributed on the scripts are executed on the crown and the grouping of piles of logs in one account, it will never reset statistics and stash it almost years. Essentially version 2.0 we wrote for what amounts to a bunch of could hold many times more than the old version, which we successfully achieved.
4. Added the ability to be used as an aid to performance Memcached, and very convenient, and it can not be used for those who do not bring down the volume of traffic the server.
5. To the list of operating systems added to Win 8, and mobile devices, in order to see how much of your traffic is mobile, and mobile traffic, you can redirect to the appropriate affiliate.
6. In the molasses, we also see the innovations might have been allowed to operate with two types of rules, exploits and redirects now Add item stub. Plug is used to display a static html page. For example, you can make a plug for Google Chrome traffic, and there to create a page with the text of its kind: This page only works in Internet Explorer, Opera, Firefox.
7. Now it is a welcome feature, disable flow with fawn exe file. The system automatically checks the pale of your file through the time you specify when you add a file.
8. Now you can use a bunch as a gasket between the power cores and the place of her destination, for which to create an opportunity to select the stream URL to redirect to waste a bunch of cores. It is useful to pass a few cores ligaments, or for subsequent redirect to Landing.
9. When added to the file will be possible to specify the frequency of inspection of the file on the pale AB, as well as an update file with slashes (if the file is added to urlu).
10. There is a new menu item "Software Version", where we can watch the version of plugins Java, Acrobat reader of your traffic, see the breaking of each version, monitor the quality of traffic by looking at is whether trafer pierces the plug-ins in your traffic. It is very useful for evaluating the quality of traffic and to monitor the performance sployty on the right version of the plugin.
11. Completely updated "Security", about it can devote even a sub-section:
a) the opportunity to block traffic without referer (we recommend to always keep on)
b) the opportunity to ban unnecessary referrers
c) the opportunity to ban all referrers except those you
d) the opportunity to ban bots on a prepared base of 13k ipov (thanks xshaman) (recommend that you keep it turned on)
d) the opportunity to ban TOR network, Types which are dynamically updated as the practice most reversers work from there (it is recommended to always keep on)
e) there was a recording mode, let you stop the traffic and you do not have to wait for the traffic of which, put the record mode, and all reversers and bots that run on your link after stopping cores directly go to the ban list)
12. As in Section 11, we had many opportunities to bans, selecting at least one version of the ban, the menu, the "Ban Statistics", in which you can see the number of blocked traffic, and the reason for the lock
13. In the settings section, we can now specify in more detail what we want to do with the referrer statistics (not to record the referrer, and keep track referrers Keep track referrers without displaying the guest of the article)
14. An opportunity to update GeoIP database with one click in the admin
15. All of which had expected to able to disable a bunch of incriminating in the domain, it looks like this: when you choose how much AB domain considered not clean (eg 1) as soon as the domain gets in the black for one auto, it switches to the next. It is also possible to specify what to do if a net domains run out, turn off a bunch of completely, or use no net domain.
16. In connection with the adjustment described in paragraph 15, a new menu "Domains", where we can add lists of domains incriminating see them, manage them completely, as well as the opportunity to get API reference for a particular stream, on which you can always see a link to a clean traffic.
In fact, version 2.0 is not a continuation of the old bunch, is a completely new system written entirely from scratch, given the client is going to request for more than two years of operation, version 1. *
So glad to report that prices have remained the same:
Rent on our server:
-Day rental - $ 50 (limit traffic 50k hits)
-Week rent - $ 200 (limit traffic 70k hits a day)
-Month lease - $ 500 (limit traffic 70k hits a day)
if need traffic limit can be raised for the add. fee
The license for your server:
-License for 3 months $ 700
-The license for six months $ 1,000
License-year $ 1500
multidomain version bundle - $ 200 one-time fee for the duration of the license (not binding on the domain and the ip)
change of the domain on the standard version bundle - $ 20
change ip for multidomain version cords - $ 50
a one-time cleaning - $ 50
avtochistki a month - $ 300 (cleaning poured yourself on your server, as soon as your slept kriptor)
Due to the fact that the topic for version 1. * Accumulated a lot of reviews and reports for version 2.0 allocated a separate topic, and the old top will be closed as a history, here is the link to it: http://exploit.in/forum/index. php? showtopic = 41662
Author and a support to one person (working normalized):
JID: [email protected]
JID: [email protected]
JID: [email protected]
A support (working hours from 9 to 19 on weekdays):
JID: [email protected]
|Blackhole 2.0 Login page with the Captcha|
Edit 12/09/12 - 22:12 Some part of Google Translation improved Denis Laskov
Edit 13/09/12 - 02:14 Links to real case infection data.