We also discussed about the exploit distribution mechanism in BEPs by presenting the study of Phoenix BEP in the HITB Ezine.The paper can be downloaded from http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-008.pdf.
However, we have not seen any decrease in the infection rate of BlackHole BEP. Our team conducted some tests and results are as expected. Deployed IDS signatures collected several IP addresses that are infected with BlackHole. We are not disclosing the details of our detection payloads. Here is a list of IP addresses as presented below
176.65.155.84
199.230.54.74
206.188.192.117
195.39.12.62
174.36.24.216
206.188.192.129
195.210.4.16
205.178.145.119
173.230.138.185
115.249.190.46
12.133.182.133
206.188.192.37
68.178.232.100
205.178.145.150
74.207.249.7
206.188.192.79
205.178.145.125
206.188.192.148
205.178.145.65
195.39.12.61
199.30.89.187
206.188.192.116
176.65.157.82
205.178.145.142
199.30.89.180
205.178.145.140
206.188.192.74
188.190.98.79
205.178.145.124
173.212.218.123
206.188.192.188
205.178.145.130
184.173.73.174
193.200.167.30
206.188.192.13
193.104.153.44
206.188.192.21
205.178.145.71
206.188.192.40
129.121.93.254
141.136.16.116
206.188.192.230
206.188.192.244
109.235.49.23
206.188.192.89
Most of these IP addresses are found to be in Canada and US. The point is, BlackHole BEP is still rising high. We are still in process of conducting more experiments to decipher the running behavior of BlackHole.
