Assessing the impact of the Blackhole arrests


Early yesterday, a ‘breaking news’ tweet grabbed the attention of most security researchers involved with malware today.

Tweet breaking news of arrest

BREAKING: Blackhole exploit kit author "Paunch" and his partners arrested in Russia

Within hours, corroborating support for the arrest was circulating to lend credence to the report.

Big news indeed!

The question on everyone’s lips, of course, was, “Will the arrest have any effect on the prevalence of the threat?

This was an expected and fair question, which I shall try and address in this post.

To start with, for those not familiar with the Blackhole exploit kit, let me start with a 5-point “cheat sheet” to get you up to speed:

  • Blackhole has become perhaps the most notorious of all exploit kits, thanks primarily to its dominance of the crimeware market throughout 2012 and early 2013.
  • In late 2012, the second version of Blackhole was released, sporting an array of new features to increase infection rates while making the task of researchers harder.
  • The author of Blackhole is known by the handle Paunch.
  • The Cool exploit kit is believed to be come from the same group.
  • We have explored the kit in great depth previously, for those that are interested in the technical details.

Before we start trying to look for a sudden drop in Blackhole or Cool volume, it is worth noting that the exploit kit landscape has changed since 2012.

Numerous other exploit kits are now available, and Blackhole has not dominated the threat statistics for several months.

Taking a look at the breakdown of the exploit kits that we have seen active over the past seven days we can see Blackhole and Cool (though the latter contributes just a very small fraction) are well down the charts, comprising just 2% of all reports.

Exploit kit breakdown from last 7 days

Looking at this data, the Neutrino, Glazunov and Sibhost exploit kits are currently dominant.

Looking at similar data for August 2013, the picture is quite different, with Styx, SweetOrange and Neutrino dominant.

But although Blackhole and Cool contribute more than in the recent data, they still reach only 4%.

Exploit kit breakdown for August 2013

So what does this tell us?

Principally, it says that we need to take great care with statistics!

There are many factors that influence the data that we use to measure and compare different threats, so I think it is too soon to draw any conclusions.

Nevertheless, assuming that the players behind Blackhole have indeed been removed from the game, it is possible that the apparent decline we have seen in the past week will continue.

That would mean that the prevalence of Blackhole landing pages and exploit content would go down, and stay down.

But would that actually change the level of risk for the world at large?

With other exploit kits already dominant in the market, a decline in Blackhole activity would not necessarily mean a change in the overall threat landscape.

Criminals who used to use Blackhole services could simply migrate to other exploit kits.

That said, these arrests are definitely good news.

Today’s malware is largely dependant upon crimeware kits and their associated infrastructure, so any law enforcement activity against the perpetrators is very welcome.

Image of black hole in ring o’ fire courtesy of Shutterstock.