Wednesday, April 25, 2012

BlackHole BEP Still Rising High!

Last year at Virus Bulletin conference, we presented about the techniques and tactics used by Browser Exploit Packs (BEPs). We discussed about the functionality of BlackHole. The paper can be downloaded from

We also discussed about the exploit distribution mechanism in BEPs by presenting the study of Phoenix BEP in the HITB Ezine.The paper can be downloaded from

However, we have not seen any decrease in the infection rate of BlackHole BEP. Our team conducted some tests and results are as expected. Deployed IDS signatures collected several IP addresses that are infected with BlackHole. We are not disclosing the details of our detection payloads. Here is a list of IP addresses as presented below   

Most of these IP addresses are found to be in Canada and US. The point is, BlackHole BEP is still rising high. We are still in process of conducting more experiments to decipher the running behavior of BlackHole.