Blackhole author arrested. The impact on the underground market

The author of the Blackhole exploits kit has been arrested after a long investigation. What will change in the offer of the criminal underground?

The author of the popular Blackhole exploit kit, also know as Paunch, has been arrested. The cybercrime underground has lost one of its principal actors considering that the malicious kit is one of the most widely used on the Internet. Paunch is the author of two of the most diffused exploit kits, Blackhole and the Cool Exploit Kit, that have dominated the underground scene in recent years. Blackhole exploit kit has been adopted by hackers to hack into several Web browsers and into application of common use such as Adobe Reader. The winning factors for the success of Blackhole exploit kit are its efficiency, the availability of various models for sale (e.g. Sale, rent), the availability of frequent updates and a moderate price (Blackhole can be rented for as little as $200 to $300 per week). Unlike many other exploits, Blackhole includes built-in code obfuscation techniques and other evasive measures continuously updated that made hard the detection of the kit.

Troels Oerting, head of Europol’s European Cybercrime Center, confirmed the arrest to the Tech Week Europe:

“I know it is true, we got some information, but I cannot say anymore.”

Despite the news is very positive for security experts we are all aware of the rapid reactivity of the underground ecosystem, the arrest represents a great opportunity of business for many other cyber criminals and malware authors, it’s a question of time before another hacker takes his place.

“[It’s] is a big deal,”  “According to our statistics, Paunch has been the biggest provider of exploit packs for the past two years.” “Now that Paunch is off the market, we’re probably going to see a fight on who will take his place.” he said. said Mikko Hypponen, chief research officer at security firm F-Secure. 

The underground is very prolific for the sale of exploit kits, name like Whitehole Exploit Kit, Redkit Exploit kit, Phoenix and Sweet Orange Exploit Kit are very popular in the hacker community, the Russian market is considered most active for creation of new kits. Early 2013 Solutionary’s Security Engineering Research Team (SERT) proposed a very interesting study on malware and exploit kits diffusion observed with its solution ActiveGuard service platform. The report revealed the surprising efficiency of well-known vulnerabilities usually included in the popular exploits sold in the underground, around 60% of the total are more than two years old, and 70% the exploit kits analyzed (26)  were released or created in Russia. SERT reports confirmed  that most popular and pervasive exploit kit is BlackHole 2.0 that exploits fewer vulnerabilities than other kits do, meanwhile most versatile of these is Phoenix exploit kit that supports 16 % percent of all vulnerabilities being exploited. Over 18% of the malware instance detected were directly attributed to The BlackHole exploit kit that is a web application that exploit known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java.  The security firm RSA Security has estimated that between 75% and 80% of all web threats over the past two years are linked to Blackhole, the offer of Paunch is considered very effective by experts, Blackhole has been available to cyber criminals to buy or rent as I explained in numerous post. The Blackhole has deeply exploited model of sale defined “malware as a service“, another factor that must be considered is that many other hackers have also offered attacks based in the Blackhole exploit kit in a model of sale recognized by specialists as attack-as-a-service.

What to expect in the short term?

The use of the exploit kit will decline, the absence of updates will make it not attractive for hackers orienting them to the sale/rent of the other exploit kits. In reality, as highlighted by Sophos experts, the market share for Blackhole or Cool are already decreasing since early 2012 due the presence of many others exploit kits like Glazunov and Neutrino.

The arrest of the alleged author of Blackhole has created a gap in the market that could be filled shortly by new actors able to offer an exploit kit equally efficient. Most likely we will see in the coming months to a reduction in prices of other exploit kits made ​​by the authors to gain a foothold in a market organ of its main product.

Be aware because criminals who used to use Blackhole exploit kit will migrate to other malicious kits.

Pierluigi Paganini

(Security Affairs –  Blackhole, cybercrime, Paunch)