Early yesterday, a ‘breaking news’ tweet grabbed the attention of most security researchers involved with malware today.
BREAKING: Blackhole exploit kit author "Paunch" and his partners arrested in Russia
Within hours, corroborating support for the arrest was circulating to lend credence to the report.
Big news indeed!
The question on everyone’s lips, of course, was, “Will the arrest have any effect on the prevalence of the threat?”
This was an expected and fair question, which I shall try and address in this post.
To start with, for those not familiar with the Blackhole exploit kit, let me start with a 5-point “cheat sheet” to get you up to speed:
- Blackhole has become perhaps the most notorious of all exploit kits, thanks primarily to its dominance of the crimeware market throughout 2012 and early 2013.
- In late 2012, the second version of Blackhole was released, sporting an array of new features to increase infection rates while making the task of researchers harder.
- The author of Blackhole is known by the handle Paunch.
- The Cool exploit kit is believed to be come from the same group.
- We have explored the kit in great depth previously, for those that are interested in the technical details.
Before we start trying to look for a sudden drop in Blackhole or Cool volume, it is worth noting that the exploit kit landscape has changed since 2012.
Numerous other exploit kits are now available, and Blackhole has not dominated the threat statistics for several months.
Taking a look at the breakdown of the exploit kits that we have seen active over the past seven days we can see Blackhole and Cool (though the latter contributes just a very small fraction) are well down the charts, comprising just 2% of all reports.
Looking at this data, the Neutrino, Glazunov and Sibhost exploit kits are currently dominant.
Looking at similar data for August 2013, the picture is quite different, with Styx, SweetOrange and Neutrino dominant.
But although Blackhole and Cool contribute more than in the recent data, they still reach only 4%.
So what does this tell us?
Principally, it says that we need to take great care with statistics!
There are many factors that influence the data that we use to measure and compare different threats, so I think it is too soon to draw any conclusions.
Nevertheless, assuming that the players behind Blackhole have indeed been removed from the game, it is possible that the apparent decline we have seen in the past week will continue.
That would mean that the prevalence of Blackhole landing pages and exploit content would go down, and stay down.
But would that actually change the level of risk for the world at large?
With other exploit kits already dominant in the market, a decline in Blackhole activity would not necessarily mean a change in the overall threat landscape.
Criminals who used to use Blackhole services could simply migrate to other exploit kits.
That said, these arrests are definitely good news.
Today’s malware is largely dependant upon crimeware kits and their associated infrastructure, so any law enforcement activity against the perpetrators is very welcome.
Image of black hole in ring o’ fire courtesy of Shutterstock.
7 comments on “Assessing the impact of the Blackhole arrests”
Thanks for such a beautiful explanation.Really thats why i likes sophos blog.
so this kind of law enforcement activity against the perpetrators is very welcome and meaningless.
"Meaningless" is your interpretation. The way you interpret data says a lot about you.
"We cannot solve the whole problem, so we shall solve none of it!"
Bit defeatist, isn't it?
Amywat, I betcha "Paunch" disagrees with you. He probably doesn't find it welcome, but I reckon he doesn't find it meaningless, either 🙂
Didn't know exploit kits were illegal
Well, it's what you do with them that counts 🙂
In mny countries, using an exploit to run code on someone's PC without their authorisation is certainly an offence – unauthorised access, unauthorised modification, etc.
I suspect exploit kits themselves are not illegal (Metasploit certainly isn't, for instance), but their use in criminal activities certainly is.
The same can be said for almost any tool.
I haven't read any other articles about these arrests yet, but it would be interesting to know precisely what charges were brought against the people involved.