Major Cybercrime Arrest in RussiaBlackhole Exploit Kit Author Reportedly in Custody
Russian authorities have reportedly arrested a man believed to be the author of the Blackhole exploit kit, which is widely used by cybercriminals to exploit vulnerabilities in Web browsers and other popular software to infect user computers with malware. Some anti-malware experts portray the arrest as a major victory for law enforcement in the global fight against cybercrime.
AVG estimates nearly 90 percent of all Web threats detected by its anti-virus software is related to Blackhole.
The Blackhole exploit kit takes advantage of vulnerabilities in Web browsers and other popular software such as Java, Adobe Reader and Flash Player, to stealthily download malware, such as banking Trojans and ransomware, onto user's computers. Cybercriminals install the malicious application on websites and trick users into visiting those sites via links embedded on other websites or spread through e-mail and social media.
Reports of the arrest first hit Twitter, with Maarten Boone, a security researcher at Dutch cyberforensics team Fox-IT, and Aleks Gostev, chief security expert for the global research and analysis team at Moscow-based anti-virus company Kaspersky Lab, claiming the creator, known on underground forums as "Paunch," was in custody.
Also, a former Russian police detective in contact with Russia's federal government told Reuters that Paunch was in custody.
When asked whether Russian authorities arrested Blackhole's author, Soren Pedersen, a spokesperson for Europol, a division of the European Cybercrime Centre (EC3), the law enforcement agency for the European Union, replied in an e-mail to Information Security Media Group: "Europol/EC3 has been informed that a high level suspected cybercriminal has been arrested." Europol directed requests for further details to Russian authorities, who have yet to release an official statement.
Blackhole is one of the most popular crimeware kits among cybercriminals, partly because of its extensive collection of exploits and partly because it offers buyers additional tools to handle complex tasks, says Will Gragido, senior manager of RSA First Watch, the advanced threat research and intelligence team for RSA, EMC's security division. The kit includes a Web panel to manage ongoing campaigns, provides regular updates to the exploits and malware payloads, and offers a cryptographic service to encrypt the kit.
"With Blackhole, anyone can be a botmaster," Gragido says.
Law Enforcement Victory
The arrest of Paunch is particularly significant because it sends a very clear message to cybercriminals, especially exploit kit developers, that law enforcement authorities are taking cybercrime seriously and are making progress in cracking down, Gragido says. Shutting down cybercrime rings has been difficult for international law enforcement agencies, mainly because of the rings' geographically distributed operations and challenges in coordinating efforts across national borders.
"Taking Paunch down means that going forward, all of these [cybercriminals] will have a greater set of concerns and worries. The risk for their activities will definitely go up," says Eric Cowperthwaite, vice president of advanced security and strategy at CORE Security, a network security and penetration testing company. He was formerly CISO at Seattle-based Providence Health.
The arrest could "trigger a chain reaction leading to more arrests and disruption," Jerome Segura, senior security researcher at Malwarebytes, an anti-virus vendor, wrote on the company's blog.
The arrest doesn't mean existing campaigns will suddenly stop working or that users won't be infected. But researchers have uncovered clues that ordinary Blackhole exploit kit operations already have been disrupted. For example, the kit's cryptographic service is currently unavailable. A French security researcher who goes by the name Kafeine said on Oct. 8 that the kit's files targeting Java exploits have not been updated in almost four days, whereas Paunch has been known to update them once or twice daily.
The kit was updated frequently in an attempt to stay a step ahead of the antivirus companies and other security companies, notes Jaime Blasco, director of AlienVault Labs, the research division of AlienVault, a provider of security management software. The recent lack of updates means the success rate of Blackhole will go down significantly as security companies update their detection capabilities to recognize the current version of the malware payload, he says.
"Blackhole was one of the most used exploit kits on the market, and this arrest will result in a decrease in attacks using this malware," Blasco says.
The author of the kit controlled it, but worked with a team of developers, malware detection experts say. So the team might regroup and resume operations, they say. It's unclear just how long, or widespread, the disruption in use of the kit will continue, RSA's Gragido warns.
Other Kits to Fill the Void
While the arrest may result in a drop in the number of Blackhole-related campaigns, one expert cautioned against thinking that this would make a difference in the larger cybercrime landscape.
The arrest is "largely irrelevant," contends Richard Henderson, a security strategist at FortiGuard Labs, a division of network security company FortiGuard. Plenty of other exploit kits on the market can fill the void left by Blackhole, and newer ones are always being developed, he says.
As a result, enterprises need to take appropriate actions, such as keeping up with patches for vulnerable applications, especially Java and Adobe Reader, experts say. Exploit kits target vulnerabilities in Web browsers and plug-ins, so focusing on these popular Web technologies can significantly reduce the attack surface, they explain.
"Exploit kits aren't going anywhere anytime soon. Much like with botnets, when one falls, another takes its place," Henderson says.
Kafeine has already noted that Neutrino, another well-known exploit kit, has already increased its price tag to $10,000 a month per server. Other experts predict other kits, such as Stix, may increase in popularity. They are also closely watching what happens to Cool Exploit Kit, another popular, and pricier, kit that's believed to have also been created by Paunch.
Sophos Labs says Blackhole and Cool comprised just 2 percent of all exploit kit activity over the past week, suggesting that its users have already moved to other kits. "That said, these arrests are definitely good news," says Fraser Howard, Sophos Labs' principal virus researcher.
"Today's malware is largely dependent upon crimeware kits and their associated infrastructure, so any law enforcement activity against the perpetrators is very welcome," Howard says.