BlackHole exploit kit experimenting with 'pseudo-random domains' feature

According to security researchers from Symantec, the author of the BlackHole exploit kit is experimenting with a new feature, offered as a trial to selected customers of his kit.

POST UPDATED, 27.06.2012.

In order to stay competitive within the cybercrime ecosystem, vendors of cybercrime-friendly services and tools need to constantly innovate and introduce the features requested by their users. What are some of the latest developments on the web malware exploitation kits' front?

According to security researchers from Symantec, the author of the market leading BlackHole web malware exploitation kit is experimenting with a new feature offered as a trial to selected customers of his kit.

Based on their analysis, the kit's author is experimenting with a pseudo-random client-side exploits serving domain feature. Thankfully, the security researchers were able to decode the algorithm and are currently able to anticipate the exact domains to be registered at a future date, and consequently block access to them.

More details:

By changing the date passed to the function we can determine domains that will be used in future. All domains up to 7 August of this year have been registered and all currently resolve to the same IP address. The domains, all recently registered, use private registration, such as details of the registrant not published in WHOIS. So far we have seen a small but steady stream of compromised domains using this technique. This suggests that this is perhaps some kind of trial or test that could be expanded in future.

What is the kit's author aiming to achieve by introducing this feature? Automation which will inevitably results in the so called 'malicious economies of scale', the two key features of a web malware exploitation kit.

In the past, the BlackHole exploit kit relied on a managed script crypting service, periodically updating the client-side exploits serving domains. It's interesting to observe the newest feature of the kit, in the context of automation, as it indicates that the kit's author is clearly interested in maintaining his market leader share by persistently introducing new features and exploits.

BlackHole exploit kit's successful infection rates are high primarily due to the fact that the kit is exploitation commonly found client-side vulnerabilities in third-party software and browser plugins.

Users are advised to ensure that they're not using outdated third-party software and browser plugins.

UPDATE: According to researchers from, the pseudo-random domains feature is not exclusively tied to the BlackHole exploit kit as Symantec originally states. The feature is also found on multiple compromised URls, and introduces a new domain every 12 hours. Apparently, certain cybercriminals have obtained the source code of the feature, and are currently experimenting with it, using the BlackHole exploit kit as a method of choice for serving client-side exploits.

Find out more about Dancho Danchev at his LinkedIn profile, or follow him on Twitter.