Cool-er Than Blackhole?

Exploit kits are still making rounds, nothing new there. But in addition to the popular Blackhole Exploit Kit, a new kid on the block emerges which has been dubbed as Cool Exploit Kit.

It’s very interesting to see how these two actually fare against each other…

Lately, we’re seeing that Blackhole updated to the latest PluginDetect version 0.7.9, which has already been used by Cool.

1_bh_plugin (14k image)

We’ve also seen Blackhole exploit the font vulnerability (CVE-2011-3402) that Cool has been exploiting.

2_bh_font (28k image)

It seems that Blackhole is also now exploiting the Java vulnerability CVE-2012-5076, another vulnerability being exploited by Cool. In addition to this, Blackhole is once again serving Flash exploits like it did in version 1.

3_bh_vercheck (99k image)

Of course, Cool wouldn’t want to be left behind as it performs similar checks to the same plugins and exploits the same vulnerabilities.

3_cool_vercheck (155k image)

It may be just us, but the version checks by the two kits are very much alike. And when we checked out Cool’s Flash exploits, we can’t help but notice that it uses the same Flash filenames as seen from Blackhole version 1, which happen to exploit the same Flash vulnerabilities (CVE-2011-0559, CVE-2011-2110, CVE-2011-0611).

4_cool_flash (153k image)

As if that wasn’t enough, other functions are pretty much similar as well.

Blackhole:
5_bh_getcn (58k image)

Cool:
5_cool_getcn (53k image)

So is Cool really better? With all these “differences”, it appears that Cool and Blackhole are more than just a tiny bit related. And it wasn’t only us that noticed that, @kafeine mentioned in his post that there’s a high chance that both kits have the same author.

Post by — Karmina and @TimoHirvonen

On 16/11/12 At 02:01 PM

Read more: Cool-er Than Blackhole?

Story added 16. November 2012, content source with full text you can find at link above.