Moscow cops cuff suspect in Blackhole crimeware bust

$50-a-day malware kit set miscreants back more than priciest software licence

The infamous Blackhole Exploit Kit has gone dark following the reported arrest in Russia of a suspect whom police believe is linked to the malware.

Blackhole has been the preferred tool for running drive-by download attacks and therefore a menace to internet hygiene for the last three years.

A suspect linked to Blackhole was arrested by Russian police earlier this week, Europol confirmed, without giving details.

The Russian authorities have not as yet released the name of the suspect or any other details of their investigation.

Drive-by badness

Blackhole is one of the most popular crimeware toolkits, serving browser-based exploits and the like from compromised websites in order to distribute malware. The hacker tool was authored by a person calling themselves "Paunch" and is essentially a web-based application. It first reared its ugly head in late 2010, and quickly became a common find for malware researchers investigating compromised websites.

Cybercrooks must first find a site that can be exploited before planting the exploit kit, often exposing users of legitimate sites to Blackhole-powered attacks.

The exploit kit attempts to download malware on the PCs of visiting surfers by taking advantage of any unpatched browser, Java or Adobe Flash plug-in vulnerability it manages to find.

Malware distributors also create links in spam messages that point to exploit portals hosting Blackhole, an alternative approach that gets around the need to hack legitimate websites before planting malicious code.

The end goal is both cases is to push various strains of malware onto vulnerable PCs.

$50 a day... even the baddies want you to rent their software!

A revamped version of the Blackhole Exploit Kit (version 2) was released just over a year ago in September 2012. The follow-up features support for Windows 8 and more sophisticated technologies for circumventing security defences.

The release also includes a spruced-up user interface – so the tool can now be used by the less technically able criminal – as well as a revised licensing structure that puts a greater emphasis on renting rather than buying the software.

Malware authors have caught on to the trend of leasing out rather than selling software. Rental prices for Blackhole run from $50 a day while leasing the software for a year costs around $1,500.

Earlier this year the Cool Exploit Kit surfaced online. Cool, also allegedly built and maintained by "Paunch", is essentially a more sophisticated and expensive version of Blackhole that reportedly costs a hefty $10,000 in monthly rental fees compared to $500 a month for Blackhole.

Blackhole ‪accretion disc‬ stops spinning

Several sources in the security industry claim that the malicious kit, which is normally updated at least once or twice a day, has not been updated for several days.

Malwarebytes reports that updates to the kit have ceased over recent days. – a service used to encrypt the exploit kit – is down.

Meanwhile security researcher and long-time Blackhole-watcher Kafeine has published a graphic showing how the malicious Java applet, which is normally updated between once and twice a day, hasn’t changed for at least five days.

Malwarebytes is careful to note that these events are only offer circumstantial evidence that something has been done to deactivate the Blackhole ecosystem. The antivirus firm says that even though an arrest has been made, it's possible cops should be looking for multiple suspects.

Nonetheless the current hiatus in Blackhole malfeasance is cause for cautious optimism, not least because it might severely inconvenience cybercrooks who relied on the black hat tool.

"Criminals who 'rent' the Blackhole exploit kit will no longer receive updates and eventually the exploit and payload are going to go stale," Malwarebytes explains in a blog post. "Those that host the exploit kit themselves have more control in that they could (if savvy enough) make some alterations to the kit to 'keep it alive'."

Displacement effect

The end effect may be to displace net fraudsters onto less-sophisticated and developed kits, rather than forcing them to give up on their preferred scams for want of suitable utilities, according to Malwarebytes.

"In all likelihood, we are going to see cyber-crooks migrate their infrastructure towards other exploit kits very soon. In fact, Kafeine already spotted that the Reveton distribution moved from a Cool EK (maintained by Paunch) to a Whitehole exploit kit," it adds.

"If it’s true that the brains behind the Blackhole has been apprehended it’s a very big deal – a real coup for the cybercrime-fighting authorities, and hopefully cause disruption to the development of one of the most notorious exploit kits the web has ever seen," writes veteran security watcher Graham Cluley.

Fraser Howard, a senior virus researcher in SophosLabs, struck a more cautious note in a blog post looking at malicious activity since the arrest of a suspect allegedly linked to Blackhole.

"Assuming that the players behind Blackhole have indeed been removed from the game, it is possible that the apparent decline we have seen in the past week will continue," he writes. "That would mean that the prevalence of Blackhole landing pages and exploit content would go down, and stay down."

Recent daily stats from Sophos show that the Neutrino, Glazunov and Sibhost exploit kits are currently dominant, but use of Blackhat/Cool also dipped in August. All these stats really tell us for sure is that other exploit kits are available.

"With other exploit kits already dominant in the market, a decline in Blackhole activity would not necessarily mean a change in the overall threat landscape. Criminals who used to use Blackhole services could simply migrate to other exploit kits.

"That said, an arrest is definitely good news," he concludes.

A whitepaper by Sophos on the Blackhole Exploit Kit can be found here.

More details on the cybercrime ecosystem created around the Blackhole Exploit Kit can be found in a blog post by independent security researcher Dancho Danchev here. ®

Similar topics

Similar topics

Similar topics


Send us news

Other stories you might like