Feeds

Moscow cops cuff suspect in Blackhole crimeware bust

$50-a-day malware kit set miscreants back more than priciest software licence

5 things you didn’t know about cloud backup

The infamous Blackhole Exploit Kit has gone dark following the reported arrest in Russia of a suspect whom police believe is linked to the malware.

Blackhole has been the preferred tool for running drive-by download attacks and therefore a menace to internet hygiene for the last three years.

A suspect linked to Blackhole was arrested by Russian police earlier this week, Europol confirmed, without giving details.

The Russian authorities have not as yet released the name of the suspect or any other details of their investigation.

Drive-by badness

Blackhole is one of the most popular crimeware toolkits, serving browser-based exploits and the like from compromised websites in order to distribute malware. The hacker tool was authored by a person calling themselves "Paunch" and is essentially a web-based application. It first reared its ugly head in late 2010, and quickly became a common find for malware researchers investigating compromised websites.

Cybercrooks must first find a site that can be exploited before planting the exploit kit, often exposing users of legitimate sites to Blackhole-powered attacks.

The exploit kit attempts to download malware on the PCs of visiting surfers by taking advantage of any unpatched browser, Java or Adobe Flash plug-in vulnerability it manages to find.

Malware distributors also create links in spam messages that point to exploit portals hosting Blackhole, an alternative approach that gets around the need to hack legitimate websites before planting malicious code.

The end goal is both cases is to push various strains of malware onto vulnerable PCs.

$50 a day... even the baddies want you to rent their software!

A revamped version of the Blackhole Exploit Kit (version 2) was released just over a year ago in September 2012. The follow-up features support for Windows 8 and more sophisticated technologies for circumventing security defences.

The release also includes a spruced-up user interface – so the tool can now be used by the less technically able criminal – as well as a revised licensing structure that puts a greater emphasis on renting rather than buying the software.

Malware authors have caught on to the trend of leasing out rather than selling software. Rental prices for Blackhole run from $50 a day while leasing the software for a year costs around $1,500.

Earlier this year the Cool Exploit Kit surfaced online. Cool, also allegedly built and maintained by "Paunch", is essentially a more sophisticated and expensive version of Blackhole that reportedly costs a hefty $10,000 in monthly rental fees compared to $500 a month for Blackhole.

Blackhole ‪accretion disc‬ stops spinning

Several sources in the security industry claim that the malicious kit, which is normally updated at least once or twice a day, has not been updated for several days.

Malwarebytes reports that updates to the kit have ceased over recent days. Crypt.am – a service used to encrypt the exploit kit – is down.

Meanwhile security researcher and long-time Blackhole-watcher Kafeine has published a graphic showing how the malicious Java applet, which is normally updated between once and twice a day, hasn’t changed for at least five days.

Malwarebytes is careful to note that these events are only offer circumstantial evidence that something has been done to deactivate the Blackhole ecosystem. The antivirus firm says that even though an arrest has been made, it's possible cops should be looking for multiple suspects.

Nonetheless the current hiatus in Blackhole malfeasance is cause for cautious optimism, not least because it might severely inconvenience cybercrooks who relied on the black hat tool.

"Criminals who 'rent' the Blackhole exploit kit will no longer receive updates and eventually the exploit and payload are going to go stale," Malwarebytes explains in a blog post. "Those that host the exploit kit themselves have more control in that they could (if savvy enough) make some alterations to the kit to 'keep it alive'."

Displacement effect

The end effect may be to displace net fraudsters onto less-sophisticated and developed kits, rather than forcing them to give up on their preferred scams for want of suitable utilities, according to Malwarebytes.

"In all likelihood, we are going to see cyber-crooks migrate their infrastructure towards other exploit kits very soon. In fact, Kafeine already spotted that the Reveton distribution moved from a Cool EK (maintained by Paunch) to a Whitehole exploit kit," it adds.

"If it’s true that the brains behind the Blackhole has been apprehended it’s a very big deal – a real coup for the cybercrime-fighting authorities, and hopefully cause disruption to the development of one of the most notorious exploit kits the web has ever seen," writes veteran security watcher Graham Cluley.

Fraser Howard, a senior virus researcher in SophosLabs, struck a more cautious note in a blog post looking at malicious activity since the arrest of a suspect allegedly linked to Blackhole.

"Assuming that the players behind Blackhole have indeed been removed from the game, it is possible that the apparent decline we have seen in the past week will continue," he writes. "That would mean that the prevalence of Blackhole landing pages and exploit content would go down, and stay down."

Recent daily stats from Sophos show that the Neutrino, Glazunov and Sibhost exploit kits are currently dominant, but use of Blackhat/Cool also dipped in August. All these stats really tell us for sure is that other exploit kits are available.

"With other exploit kits already dominant in the market, a decline in Blackhole activity would not necessarily mean a change in the overall threat landscape. Criminals who used to use Blackhole services could simply migrate to other exploit kits.

"That said, an arrest is definitely good news," he concludes.

A whitepaper by Sophos on the Blackhole Exploit Kit can be found here.

More details on the cybercrime ecosystem created around the Blackhole Exploit Kit can be found in a blog post by independent security researcher Dancho Danchev here. ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?