Attackers using the Blackhole kit compromise a legitimate site, insert malicious JavaScript code on the site’s main page, and infect the visitor’s machine.
“When an innocent user browses to a Blackhole-infected site, their browser runs the JavaScript code, which typically creates a hidden iframe, which silently exploits vulnerable browser plug-ins and drops any malware and exploits onto a users system. It typically targets vulnerable Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications. These attacks are often called drive-by downloads”, explained Symantec researcher Nick Johnston in a blog.
This approach has a key weakness. “If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical”, he wrote.
The solution developed by the Blackhole attackers is to enable the JavaScript code on infected sites to dynamically generate pseudo-random domains based on the date and other information and then create an iframe pointing to the generated domain, Johnston explained.