Assessing the impact of the Blackhole arrests

Filed Under: Featured, Law & order, Malware, SophosLabs, Vulnerability

Early yesterday, a 'breaking news' tweet grabbed the attention of most security researchers involved with malware today.

Tweet breaking news of arrest

BREAKING: Blackhole exploit kit author "Paunch" and his partners arrested in Russia

Within hours, corroborating support for the arrest was circulating to lend credence to the report.

Big news indeed!

The question on everyone's lips, of course, was, "Will the arrest have any effect on the prevalence of the threat?"

This was an expected and fair question, which I shall try and address in this post.

To start with, for those not familiar with the Blackhole exploit kit, let me start with a 5-point "cheat sheet" to get you up to speed:

  • Blackhole has become perhaps the most notorious of all exploit kits, thanks primarily to its dominance of the crimeware market throughout 2012 and early 2013.
  • In late 2012, the second version of Blackhole was released, sporting an array of new features to increase infection rates while making the task of researchers harder.
  • The author of Blackhole is known by the handle Paunch.
  • The Cool exploit kit is believed to be come from the same group.
  • We have explored the kit in great depth previously, for those that are interested in the technical details.

Before we start trying to look for a sudden drop in Blackhole or Cool volume, it is worth noting that the exploit kit landscape has changed since 2012.

Numerous other exploit kits are now available, and Blackhole has not dominated the threat statistics for several months.

Taking a look at the breakdown of the exploit kits that we have seen active over the past seven days we can see Blackhole and Cool (though the latter contributes just a very small fraction) are well down the charts, comprising just 2% of all reports.

Exploit kit breakdown from last 7 days

Looking at this data, the Neutrino, Glazunov and Sibhost exploit kits are currently dominant.

Looking at similar data for August 2013, the picture is quite different, with Styx, SweetOrange and Neutrino dominant.

But although Blackhole and Cool contribute more than in the recent data, they still reach only 4%.

Exploit kit breakdown for August 2013

So what does this tell us?

Principally, it says that we need to take great care with statistics!

There are many factors that influence the data that we use to measure and compare different threats, so I think it is too soon to draw any conclusions.

Nevertheless, assuming that the players behind Blackhole have indeed been removed from the game, it is possible that the apparent decline we have seen in the past week will continue.

That would mean that the prevalence of Blackhole landing pages and exploit content would go down, and stay down.

But would that actually change the level of risk for the world at large?

With other exploit kits already dominant in the market, a decline in Blackhole activity would not necessarily mean a change in the overall threat landscape.

Criminals who used to use Blackhole services could simply migrate to other exploit kits.

That said, these arrests are definitely good news.

Today's malware is largely dependant upon crimeware kits and their associated infrastructure, so any law enforcement activity against the perpetrators is very welcome.

Image of black hole in ring o' fire courtesy of Shutterstock.

, , , , ,

You might like

7 Responses to Assessing the impact of the Blackhole arrests

  1. shrikhandiya · 378 days ago

    Thanks for such a beautiful explanation.Really thats why i likes sophos blog.

  2. sad · 377 days ago

    so this kind of law enforcement activity against the perpetrators is very welcome and meaningless.

    • Shannon · 377 days ago

      "Meaningless" is your interpretation. The way you interpret data says a lot about you.

    • Paul Ducklin · 377 days ago

      "We cannot solve the whole problem, so we shall solve none of it!"

      Bit defeatist, isn't it?

      Amywat, I betcha "Paunch" disagrees with you. He probably doesn't find it welcome, but I reckon he doesn't find it meaningless, either :-)

  3. Aryan · 377 days ago

    Didn't know exploit kits were illegal

    • Paul Ducklin · 377 days ago

      Well, it's what you do with them that counts :-)

      In mny countries, using an exploit to run code on someone's PC without their authorisation is certainly an offence - unauthorised access, unauthorised modification, etc.

  4. Gavin · 377 days ago

    I suspect exploit kits themselves are not illegal (Metasploit certainly isn't, for instance), but their use in criminal activities certainly is.

    The same can be said for almost any tool.

    I haven't read any other articles about these arrests yet, but it would be interesting to know precisely what charges were brought against the people involved.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.