Two weeks ago, it was reported that police in Russia arrested the reputed author of the Blackhole Exploit kit, a man who went by the hacker alias ‘Paunch.’ In the aftermath, the number of spam campaigns using Blackhole to distribute malware fell off, and in the past two weeks have still not recovered.
According to security researchers, use of the exploit kit seems to have chilled for the moment, and some cyber-crew have started switching tactics. For example, researchers at Dell SecureWorks report that following the arrest, one of the groups using the Cutwail spam botnet stopped spamming out links leading to the Blackhole exploit kit in favor of another kit known in the security community as Magnitude (formerly Popads).
In that case, the spam emails have links that open up to a website that tells the user their browser is not up to date as a ruse to get them to download Gameover Zeus while a malicious iFrame redirects the browser to the Magnitude exploit kit. At that point, Magnitude installs the infamous ZeroAccess Trojan on the user’s system if they are susceptible to any of the targeted vulnerabilities, such as CVE-2011-3402 (Windows) and CVE-2013-0633 (Adobe Flash Player).
“Blackhole operations have gone silent,” said Richard Henderson, security strategist at FortiGuard Labs.
“Will other kits move in to fill the void left by [Blackhole]? Most definitely. When will we see this happen? It’s hard to say right now, but for every hacker arrested, there’s another who thinks he is skilled enough to avoid arrest and will take a shot at making their millions,” he added.
According to Chester Wisniewski, senior security advisor at Sophos, other exploits have actually already begun to fill that void. At the moment, the two most common exploit kits are Glazunov and Neutrino – though it is hard to account for who picked up the most business from Black Hole’s demise, he said.
Trend Micro security researcher Jonathan Leopando blogged underground forums are still digesting news of the arrest and what the long term impact may be.
“One particular area of concern in Russian underground forums is whether users of BHEK could face arrests themselves,” he blogged. “In particular, users who purchased BHEK directly from Paunch or his authorized resellers would be in Paunch’s database of clients, which is now presumably in the hands of law enforcement.”
The use of exploit kits as an infection vector has been cyclical for some time, noted Andrew Brandt, director of threat research at Blue Coat Systems.
“In spam-delivered campaigns, we saw an uptick in the use of exploit kits in August and early September, then their use trailed off after about the 10th [of October],” he said. “We saw a gradual increase in Kuluoz-style email with links that simply deliver a .zip file and some messages with the .zip file already attached.”
Elsewhere, exploit kits of many types remain in wide use on compromised websites, he said, and iframes and misdirection are being used to load the kit in the background while the victim surfs the Web.
“If the author of Black Hole sold the code, or had collaborators that were not apprehended, it is possibly that we could see the kit appear again in the future,” said Curt Wilson, ASERT senior research analyst for Arbor Networks. “There is also a possibility that the code may have leaked at some point, which could make that particular threat re-emerge. There is no shortage of exploit kits that can be rented or purchased in the underground, and threat actors are likely to have taken full advantage of the situation to encourage new customers to migrate from Black Hole to their particular exploit kit.”