Security Experts:
Blackhole Exploit Kit Author "Paunch" Arrested
By Mike Lennon on October 08, 2013
The
author of perhaps the most widely used malicious software that helps
cybercriminals around the world steal millions of dollars from
unsuspecting victims has reportedly been arrested.
Going by the online moniker of “Paunch”, and thought to be living in a town outside of Moscow, he is responsible for developing and updating the “Blackhole” exploit kit.
Several sources confirmed to SecurityWeek that the arrest of Paunch did occur, but were unable to provide additional details as this is an ongoing law enforcement operation. An official announcement from Moscow is expected next week.
Rumors of the arrest surfaced on Monday when Maarten Boone, a security analyst at Fox-IT tweeted, “BREAKING: Blackhole exploit kit author "Paunch" and his partners arrested in Russia”.
Late Monday, Jerome Segura from MalwareBytes, highlighted that crypt.am, an online service used to encrypt the exploit kit, had been offline.
Furthermore, a security researcher going by the name "Kafeine" noticed that a malicious Java applet typically updated by Paunch once or twice each day, had not been changed for at least four days.
One Twitter user reported that Paunch’s account on crime forum Darkode had been deleted, though this has not been confirmed by SecurityWeek.
What’s interesting about Blackhole (and other exploits kits), is that it doesn’t actually steal money, exfiltrate data, or spy on victims, but instead is a “browser exploit pack” (BEP) used by cybercriminals to install a wide variety of malware onto systems, including Trojans such as Zeus, SpyEye, Fake A/V, and other types of malware.
As Rod Rasmussen explained in a 2012 SecurityWeek feature on the Blackhole exploit kit, the software is maintained and updated regularly, with a strong business model supporting it.
“Subscribers are continuously updated with the latest exploits against such software as Java, Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), and other programs and browser plug-ins. This means that cybercriminals don’t have to worry about finding exploits, engineering them, or updating their own code—that’s all done conveniently for them by Paunch and his crew.”
In 2012, the Blackhole exploit kit accounted for 27 percent of exploit sites and redirects from legitimate sites that had been hacked, according to Sophos.
Early this year, it was reported that the gang behind the Blackhole exploit kit had plans to branch out into new markets with a new, more expensive exploit kit (Cool Exploit) and a $100,000 budget to buy custom exploits to bundle into the kit, which would be more closely held.
If reports are true that Paunch has been taken in by authorities, it could mean big changes in the cybercriminal underworld.
“This may very well be the last update we see, unless somebody picks up the torch,” Jerome Segura commented. “Criminals that ‘rent’ the Blackhole exploit kit will no longer receive updates and eventually the exploit and payload are going to go stale.”
“In all likelihood, we are going to see cyber-crooks migrate their infrastructure towards other exploit kits very soon,” Segura continued. “In fact, Kafeine already spotted that the Reveton distribution moved from a Cool EK (maintained by Paunch) to a Whitehole exploit kit.”
Related: Blackhole Exploit - A Business Savvy Cybergang Driving a Massive Wave of Fraud
Managing Editor, SecurityWeek.
Going by the online moniker of “Paunch”, and thought to be living in a town outside of Moscow, he is responsible for developing and updating the “Blackhole” exploit kit.
Several sources confirmed to SecurityWeek that the arrest of Paunch did occur, but were unable to provide additional details as this is an ongoing law enforcement operation. An official announcement from Moscow is expected next week.
Rumors of the arrest surfaced on Monday when Maarten Boone, a security analyst at Fox-IT tweeted, “BREAKING: Blackhole exploit kit author "Paunch" and his partners arrested in Russia”.
Late Monday, Jerome Segura from MalwareBytes, highlighted that crypt.am, an online service used to encrypt the exploit kit, had been offline.
Furthermore, a security researcher going by the name "Kafeine" noticed that a malicious Java applet typically updated by Paunch once or twice each day, had not been changed for at least four days.
One Twitter user reported that Paunch’s account on crime forum Darkode had been deleted, though this has not been confirmed by SecurityWeek.
What’s interesting about Blackhole (and other exploits kits), is that it doesn’t actually steal money, exfiltrate data, or spy on victims, but instead is a “browser exploit pack” (BEP) used by cybercriminals to install a wide variety of malware onto systems, including Trojans such as Zeus, SpyEye, Fake A/V, and other types of malware.
As Rod Rasmussen explained in a 2012 SecurityWeek feature on the Blackhole exploit kit, the software is maintained and updated regularly, with a strong business model supporting it.
“Subscribers are continuously updated with the latest exploits against such software as Java, Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), and other programs and browser plug-ins. This means that cybercriminals don’t have to worry about finding exploits, engineering them, or updating their own code—that’s all done conveniently for them by Paunch and his crew.”
In 2012, the Blackhole exploit kit accounted for 27 percent of exploit sites and redirects from legitimate sites that had been hacked, according to Sophos.
Early this year, it was reported that the gang behind the Blackhole exploit kit had plans to branch out into new markets with a new, more expensive exploit kit (Cool Exploit) and a $100,000 budget to buy custom exploits to bundle into the kit, which would be more closely held.
If reports are true that Paunch has been taken in by authorities, it could mean big changes in the cybercriminal underworld.
“This may very well be the last update we see, unless somebody picks up the torch,” Jerome Segura commented. “Criminals that ‘rent’ the Blackhole exploit kit will no longer receive updates and eventually the exploit and payload are going to go stale.”
“In all likelihood, we are going to see cyber-crooks migrate their infrastructure towards other exploit kits very soon,” Segura continued. “In fact, Kafeine already spotted that the Reveton distribution moved from a Cool EK (maintained by Paunch) to a Whitehole exploit kit.”
Related: Blackhole Exploit - A Business Savvy Cybergang Driving a Massive Wave of Fraud
sponsored links
Tags: Subscribe to SecurityWeek
- Snowden Says He Took No Secret Documents to Russia
- Public Cloud Security is Back to The Future
- Hackers Compromise PR Newswire Customer Database
- Skycure Monitors Network Activity of iOS Devices for Security
- Please Join us Tonight in Denver for a Educational Security Happy Hour Event
- NSA Deeply Involved in US Drone Strikes: Report
- FireEye Unveils Mobile Threat Protection Platform
- A-Z of Vulnerability Management: A - is for Authenticated Scanning
- US Asks Top Court Not to Take Case on NSA Cyber-Snooping
- TRUSTe Expands Data Privacy Management Platform with Enhanced Mobile App Monitoring
Corporate Research
|
Cost of Failed Trust Report: On average enterprises are projected to risk losing an average of $...
|
|
|
Anatomy of a Botnet: How the Arbor Security Engineering & Response Team (ASERT) Discover...
|
|
|
Mobile Security Guide: Protect Your Organization From Mobile Malware: As mobile devices become more common, cybercriminals see them as ha...
|
|
|
CDW Malware Video: CDW Malware Video
|
|
Copyright © 2013 Wired Business Media. All Rights Reserved. Privacy Policy | Terms of Use
