News Stay informed about the latest enterprise technology news and product updates.

Black Hat 2012: Phoenix, Black Hole toolkits rising in sophistication

Attack toolkits have grown in sophistication as cybercriminals add better code obfuscation and other techniques to avoid detection and improve attack effectiveness.

Attack toolkits, such as Black Hole and Phoenix, put powerful automation in the hands of less-savvy cybercriminals, and features and capabilities added in recent years have only made these attack platforms more effective and more dangerous.

Users need to patch their Java, their Adobe software and their operating system vulnerabilities … These kits are not using zero-days; they cannot exploit you if you are patched.

Jason Jones,
security researcher, HP DVLabs

It is common for malware architects to update crimeware toolkits with new exploit capabilities a few short hours after a software maker issues patches to repair vulnerabilities, said Jason Jones, a security researcher at Hewlett-Packard Co.'s TippingPoint DVLabs. Jones is scheduled to talk about Web exploit toolkits and their sophistication at the 2012 Black Hat Briefings in Las Vegas. He said cybercriminals behind the attack toolkits not only license them to attackers, but also provide frequent updates and even support services.

"These guys are stepping up," Jones said in an interview with "We need to keep on our toes and pushing the envelope to protect users."

Jones said he expects the toolkit authors to further advance their code-obfuscation efforts, making it difficult for security teams to detect the toolkit presence on websites. He predicts advances in JavaScript code obfuscation will cloak malicious code from automated technologies designed to detect suspicious website activity.

Security firms have been documenting a steady rise in attacks targeting Java, Adobe Flash and Microsoft vulnerabilities, fueled in large part by the Black Hole exploit kit. Like Phoenix and other attack toolkits, an annual license for the Black Hole toolkit had sold on hacker forums for as much as $1,500. Black Hole was made available for free download last year, creating the surge in Web-based attacks.

"Users need to patch their Java [installations], their Adobe software and their operating system vulnerabilities," Jones said. "These kits are not using zero-days; they cannot exploit you if you are patched."

More from Black Hat 2012

See more of's special coverage of Black Hat 2012.

Attack toolkits have a lot in common. A control panel helps the attacker configure the toolkit to carry out a range of attacks. Most can be configured to ignore a specific IP range, Jones said, in order to avoid attacking a security firm or another entity the attacker doesn't want to attack. A dashboard typically displays reporting capabilities, letting the attacker know how many people viewed their attack pages and how many attacks were successful.

Attackers typically use crimeware kits to set up drive-by attacks. The kit can be used to target vulnerable websites and use those sites as attack platforms. An initial SQL injection or cross-site scripting (XSS) attack gains a foothold on a website. Using malicious JavaScript, the attacker loads an iFrame within the HTML on the page, which launches attacks on visitors to determine their operating system and whether their browsers and browser components are unpatched. If a vulnerability is found, the attack toolkit automatically exploits it, downloading malware onto a victim's machine.

Attack toolkits can contain as few as four exploits or up to a dozen or more. The longer a kit is around, Jones said, the more exploits it accumulates.

Attack toolkits are largely from Eastern Europe, Jones said, but newer exploit kits are emerging from Asia. While the toolkits aren't as sophisticated, they have been offering exploits that target more recently known vulnerabilities. The kits have fueled competition, pushing toolkit authors to rush updates to license holders.

"The Chinese exploit kits were taking market share because they could get more recent vulnerabilities in their kit," Jones said. "They see the success that these other guys are having and they may think they will have the same success or do it better."

Dig Deeper on Hacker tools and techniques: Underground hacking sites

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.