Exploit kits are still making rounds, nothing new there. But in addition to the popular Blackhole Exploit Kit, a new kid on the block emerges which has been dubbed as Cool Exploit Kit.
It's very interesting to see how these two actually fare against each other…
Lately, we're seeing that Blackhole updated to the latest PluginDetect version 0.7.9, which has already been used by Cool.
We've also seen Blackhole exploit the font vulnerability (CVE-2011-3402) that Cool has been exploiting.
It seems that Blackhole is also now exploiting the Java vulnerability CVE-2012-5076, another vulnerability being exploited by Cool. In addition to this, Blackhole is once again serving Flash exploits like it did in version 1.
Of course, Cool wouldn't want to be left behind as it performs similar checks to the same plugins and exploits the same vulnerabilities.
It may be just us, but the version checks by the two kits are very much alike. And when we checked out Cool's Flash exploits, we can't help but notice that it uses the same Flash filenames as seen from Blackhole version 1, which happen to exploit the same Flash vulnerabilities (CVE-2011-0559, CVE-2011-2110, CVE-2011-0611).
As if that wasn't enough, other functions are pretty much similar as well.
So is Cool really better? With all these "differences", it appears that Cool and Blackhole are more than just a tiny bit related. And it wasn't only us that notices this, @kafeine mentioned in his post that there's a high chance that both kits have the same author.