A new version of the BlackHole exploit kit is now out on the web and ready to start infecting. The developer of the toolkit, who goes by the handle "Paunch," recently announced the availability of Blackhole 2.0, which removes much of its trove of known and patched exploits, and replaces them with a whole new crop—along with features that will make it harder for antivirus companies and site owners to detect trouble.

BlackHole is a widely-used, web-based software package which includes a collection of tools to take advantage of security holes in web browsers to download viruses, botnet trojans, and other forms of nastiness to the computers of unsuspecting victims. The exploit kit is offered both as a "licensed" software product for the intrepid malware server operator and as malware-as-a-service by the author off his own server.

The announcement for the new version (translated on the Malware Don’t Need Coffee weblog from the original Russian, with the help of Google Translate), which Threatpost reports, was initially posted on the underground hacker marketplace site Exploit.ln, promises a number of new features to make it harder for antivirus software to detect and defend against exploit attacks. One of those is a random URL generation system that creates single-use web addresses for attacks that last only as long as a specific attack on a target computer. Random URLs are intended to prevent antivirus companies or security professionals from using the link to download the exploit for analysis.

The user can also designate page names in the URL that are human-readable (such as "/news/index.php") to fool browser users into believing they’re following a legitimate link. This prevents security software from detecting exploits based on the signature of the source URL. And BlackHole 2.0 limits which attacks it attempts to launch against a target based on detection of which plug-ins are present, reducing the possibility that they will trigger an antivirus package watching for behaviors.

Older exploits based on Flash and other software that have been patched have been removed by the developer because of their low rate of return and the potential for them to tip off users due to "causing scary visual effects and browser crashes." The new version includes three exploit "packs," including a set of Java exploits (including attacks that exploit Java's "AtomicReferenceArray object" ), exploits of the Adobe PDF LibTiff, and of Internet Explorer's Microsoft Data Access Components—a well-documented vulnerability retained because of its low rate of detection by security software and the prevalence worldwide of unpatched IE6 browsers that are still vulnerable to it.

There are also a number of enhancements in the administrative panel for the tool. A BlackHole 2.0 user can now configure an attack server with multiple domains, and have it switch the URLs it uses for attacks between them. It can also automatically switch from one domain to another when the first gets blacklisted by antivirus software reputation databases.

All these new capabilities come without a bigger sticker price. The developer offers a one-day rental of capacity on his server for as little as $50, up to a month-long lease for $500 (with larger fees for traffic over 70,000 web hits per day). For those who want to run their own BlackHole server, licenses start at $700 for a 3-month license (which includes software support) and range up to $1,500 for a full year, plus $200 for the multidomain version. For those who want to cover their tracks, a site clean-up package comes priced at $300.

Listing image by Gallery of Space Time Travel