Exploit kits, the biggest threat on the web, are being fed by whitehat security researchers

Who is feeding the Blackhole exploit kit?

Black hole. Image from ShutterstockThe newly-published Sophos Security Threat Report 2013 reveals that web exploit kits like the notorious Blackhole exploit kit are responsible for the majority of web attacks today.

The development of such attack kits, which exploit vulnerabilities to silently infect web-browsing computers, has been interesting for computer security professionals to follow.

During the past year, my colleagues at SophosLabs and I have been following the development of the Blackhole exploit kit very closely:

One thing I have noticed is a certain lack of originality in the exploit usage of the Blackhole exploit kit.

The author of the Blackhole exploit kit seems to be more comfortable as a system integrator and web application developer than anything else, and is far from being a hardcore vulnerability researcher.

This is perhaps not a surprise. After all, segregation in the malware field leads to specialization, and it has become apparent that the exploit kits are not the place to look for originality.

This impression of mine is perfectly supported by research conducted by iSec Partners, as you can see in the following video:

The video provides a good insight into exploit kits, and is well worth a watch by anyone interested in the topic.

It turns out that the number of exploits which first appeared in the malicious exploit kits is zero.

Further than that, only publicly-disclosed exploits which are well documented end up being used in the exploit kits.

So where do these exploits come from?

iSec Partners took the vulnerabilities used by the top 15 exploit kits, and investigated the original source of the disclosure:

Developed in APT 3
Developed by whitehats 10
Developed by malware authors 0

In a few cases the exploit was taken from samples of earlier field attacks, but more often, the source was the result of research by whitehat security experts.

Phoenix. Image from ShutterstockSome might argue that this is last year’s story, as nowadays the Blackhole exploit kit dominates.

Would using the Blackhole exploit kit as a point of reference change the above picture? I don’t believe so.

The same old exploits are used by the Blackhole exploit kit, with only a couple of new zero-day exploits added like CVE-2012-4681 or CVE-2012-1889.

However, although the vulnerabilities were classed as zero-day at the time of addition to the exploit kit, the exploit code itself was not developed by the kit’s author.

Instead, the code was taken from publicly available samples – most visibly in the case of CVE-2012-1889, where the code was blindly copy-pasted into the exploit kit code.

To be clear: I am not against vulnerability disclosure.

Responsible disclosure helps the overall state of security. But that does not have to mean that we have to make the life of malware authors – such as those who deploy the Blackhole exploit kit – this easy.

Lets make the bad guys work hard for their money.

I can only agree with the conclusion of the iSec’s presentation: force cybercriminals to take the more expensive route.

How much money would buying a vulnerability cost? A typical Java exploit found recently is expected to be worth a five-digit sum.

The Blackhole exploit kit’s author himself claimed that to use a vulnerability would cost him about $100.000 if he were to buy it.

How much money would the exploit kits’ manufacturers make? Clearly, not even close to this figure.

The last info I have was from a year ago, when Blackhole protection was restricted to be used on 28 servers. This was discussed in my technical paper, “Inside a Black Hole”.

Blackhole protection was restricted to be used on 28 servers

The well-coordinated update scheme observed in the Blackhole-related malware flow suggests that only one code branch was used. I would estimate the number of Blackhole licenses sold to be the same amount.

Assuming the best, that they are all one-year-licenses, a yearly income amounting to a five figure sum could be estimated. Therefore even buying a single exploit would mean spending a significant amount of the venture’s yearly income.

Providing it for free, in the form of easy-to-implement proof of concept code, really means supporting the exploit kit authors.

I’d much prefer a world where people chose to support the International Red Cross or the WWF instead.

Burning phoenix image from Shutterstock.