black hole milky way horizon NASA

WordPress and the dreaded “Blackhole Exploit Kit”

Recently, while viewing a WordPress site, I discovered that the website had been hacked. The website was a WordPress blog, running on a Linux server. It was discovered rather quickly with some Anti-Virus software on some Windows 7 machines that were being used to view and log into the website for WordPress dashboard administration. The malware warning that popped up was the dreaded “Blackhole Exploit Kit”.

The Blackhole Exploit Kit was developed by some of the most skilled computer criminals in the world, most likely in Russia or Eastern Europe. I will not pretend to know the entire inner working of how the malicious software package works, but I will share what I found out from my personal experience.

According to Wikipedia, the Blackhole exploit kit is currently the most prevalent web threat. The kit was developed for resale to other computer criminals. Anyone who uses the kit “bought” the kit or “licensed” it from the original Russian authors, and then it was tweaked to fit the individual clients’ purposes. In general, the kit uses hidden Javascript code to analyze all kinds of software versions on the client’s computer. I would imagine that it would analyze your:

  • Browsers versions
  • Adobe Flash plugin-version
  • Adobe Acrobat reader version
  • Java Runtime library version

All of these items should always be up-to-date, especially Java and Flash, which both have horrendous histories of security vulnerabilities. If the Blackhole exploit kit discovers through the instructions in Javascript, that you are running some software which can be exploited, i.e., they found a way in to your computer, it will then run another piece of software, which often is a Trojan horse in the form of a pop up window that appears to be a warning about a malware/virus, when in fact, it IS a malware! This runtime payload can be, but doesn’t have to be executed through a Java applet, and will load a “back-door” program, leaving your computer under remote hackers’ control.

Disabling Javascirpt would ensure that you aren’t affected by this threat, however, that significantly reduces the ability of MANY functions of several websites. For example, you wouldn’t be able to use Gmail, which is based on Javascript code. In this particular instance, I discovered the code inside the website’s header.php.

It looked something like this:

#d93065# echo(gzinflate(base64_decode(“3VXBbptAEP2V……….…1G5y+828z/8A”))); #/d93065#” “#d93065#.

This is only a snippet of the code, but remove everything between the : #d93065# tags. Remember that this exploit kit is custom made for each evil computer criminal who purchases it from the “hacker mafia” which created it.

We helped this website by removing the code from their header.php file which took the threat out of the WordPress site, and their users who visit the site are now safe, but it does beg the question as to how the hackers got into the header.php file in the first place. Access to the WordPress accounts could do it, but also SSH/ftp access to the Linux server that it is hosted on could also be the culprit. In either case, if this happens to you, passwords should be immediately changed for all of these accounts.  Be sure to be on the lookout for this nasty evil piece of code in your HTML, PHP or ASP. It not only is a headache for you because it makes your website appear to be malicious, but it can infect any users who visit your WordPress site!

Scroll to Top