NEWS FROM THE LAB - Friday, November 16, 2012

Cool-er Than Blackhole? Posted by SecResponse @ 14:01 GMT

Exploit kits are still making rounds, nothing new there. But in addition to the popular Blackhole Exploit Kit, a new kid on the block emerges which has been dubbed as Cool Exploit Kit.

It's very interesting to see how these two actually fare against each other…

Lately, we're seeing that Blackhole updated to the latest PluginDetect version 0.7.9, which has already been used by Cool.

Blackhole plugin

We've also seen Blackhole exploit the font vulnerability (CVE-2011-3402) that Cool has been exploiting.

Blackhole font

It seems that Blackhole is also now exploiting the Java vulnerability CVE-2012-5076, another vulnerability being exploited by Cool. In addition to this, Blackhole is once again serving Flash exploits like it did in version 1.

Blackhole vercheck

Of course, Cool wouldn't want to be left behind as it performs similar checks to the same plugins and exploits the same vulnerabilities.

Cool vercheck

It may be just us, but the version checks by the two kits are very much alike. And when we checked out Cool's Flash exploits, we can't help but notice that it uses the same Flash filenames as seen from Blackhole version 1, which happen to exploit the same Flash vulnerabilities (CVE-2011-0559, CVE-2011-2110, CVE-2011-0611).

Cool Flash

As if that wasn't enough, other functions are pretty much similar as well.

Blackhole getcn

Cool getcn

So is Cool really better? With all these "differences", it appears that Cool and Blackhole are more than just a tiny bit related. And it wasn't only us that notices this, @kafeine mentioned in his post that there's a high chance that both kits have the same author.

Post by — Karmina and @TimoHirvonen