A recent example of the Blackhole exploit toolkit targeting consumers was a ransomware page launched in June that claims to be a legal action by the U.S. Federal Bureau of Investigation (FBI). The malware locks up the machine’s Windows operating system and demands payment of a ‘fine’ to unlock it. The graphic, which includes a fake video, demands a payment of $100 through an untraceable money transfer.

Since the text cites the fine as “100$,” this is an indication that the demand isn’t really from the FBI. Another giveaway that this is fake lies in the text that says the affected PC has been used to violate copyright laws, view pornographic content, or has been infected with malware and violates a fictional “Neglectful Use of Personal Computer article 210 of the Criminal Code.”

Blackhole is a sophisticated and powerful exploit kit, mainly due to its ability to adapt (it is polymorphic) and that its code is heavily concealed to evade detection by anti-malware solutions. These are the main reasons it has a high success rate.

Its creators ‘commercialized’ their product by providing a subscription-based service. Blackhole customers are criminals as well and will try to make money by selling the “software” to others who then go on to use it to recoup their investment. Blackhole’s creators then release updates to paying customers only and, along the way, reduce the numbers of non-paying customers, in order to maximize monetization from the toolkit.

The rapid update capabilities of the kit have made it very difficult for antivirus vendors to track. Now the success rate of the Blackhole Tool Kit is much higher than other tool kits as the creators have stepped away from standard zero-day or recently patched exploits and have updated the tool kit with an exploit that has targeted the vulnerabilities in Java.

The Q2 Threat Report can be accessed online at: http://mediacenter.avg.com/en/press-tools/avg-threat-reports/avg-community-powered-threat-report-q2-2012.html