Attacks/Breaches
5/30/2014
06:16 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Blackshades Boss Pleads Not Guilty

The BlackShades organization was run like a real business -- salaried staff, detailed customer lists, support teams -- and that was a key factor in both its success and its demise.

Alex Yucel, 24, the alleged co-author of the Blackshades remote access Trojan (RAT) and owner-operator of the BlackShades organization, pleaded not guilty Thursday to multiple cybercrime charges levied against him last week as part of a major FBI sting that netted more than 90 other arrests. (BlackShades co-author Michael Hogue, a.k.a. "xVisceral," arrested in June 2012, has pleaded guilty.) If convicted, Yucel, a.k.a. "marjinz," a.k.a. "Victor Soltan," faces up to 15 years in prison -- and the evidence against him is extensive.

As described in court documents describing charges against another Blackshades employee, law enforcement has records of Yucel paying to lease computers, employee reviews he wrote, employee payment records, and chains of emails between him and an insider who turned FBI informant.

The BlackShades organization was run like a real business -- salaried staff, detailed customer lists, support teams -- and that was a key factor in both its success and its demise.

As for the malware itself (detected as WORM_SWISYN.SM), it is a very robust, very user-friendly RAT toolkit. As Symantec describes, "A simple point and click interface allows them to steal data, browse the file system, take screenshots, record video, and interact with instant messaging applications and social networks.

It can be used to log keystrokes, launch denial-of-service attacks, and download and run malware onto the affected system. It can spread via USB drives, social network accounts, or instant messages; it even automatically generates a draft of the message. It includes built-in marketplaces for buying bots and crypters.

Brian Wallace at Cyclance gives a good rundown of the malware's features, adding:

Blackshades, however, is particularly infamous for being used by would-be stalkers and other such unsavory elements to spy on women. Blackshades allows the remote attacker to turn on the victim PC’s microphone and/or webcam. It’s not the first malware family to include this behavior, but it appears to be one of Blackshade’s most commonly used “features.”

In addition to being a friendly one-stop-shop, the organization has provided professional service. Court documents state that Yucel had hired a marketing director, a website developer, and a team of customer service representatives. The malware was frequently updated. The organization had a detailed database of over 6,000 customer profiles.

It seemed that the people running BlackShades forgot that they were running an illegal operation. The $40 price tag for their product and services -- plus the fact that older versions of the software were available for free -- did not reflect the high risk of doing business. Although the low price helped make BlackShades popular, the malware wasn't terribly lucrative. Law enforcement estimates that the company made approximately $350,000 over the period from September 2011 to April 2014 -- that's only an average of $7,095 per month to split between all employees.

Although the US government arrested over 90 Blackshades employees and customers, seized more than 1,900 domain names used by Blackshades customers to control infected computers, and shut down the bshades.eu site used to sell the product, security experts say that the threat still exists.

Adam Kujawa, lead of the malware intelligence team at Malwarebytes, wrote today that after just a little searching he found and downloaded a freemium version of BlackShades -- not as up-to-date or feature-rich as the most recent version, but still dangerous. "So if you are wondering if an outdated version of Blackshades is even a threat," writes Kujawa, "the answer is absolutely."

On the plus side, says Kujawa, the BlackShades business was suffering a bit recently anyway. He writes:

Fortunately, the interest in Blackshades has decreased due to an array of different issues with the product. Customers are no longer trusting of the tool, not only because of the arrests but also because of bugged versions discovered that opened a backdoor onto the attackers' system, essentially turning a bad guy into just another victim.

TrendMicro researchers say that another problem BlackShades brought upon itself was that, because of its very accessible, user-friendly nature, it appealed to amateur ne'er-do-wells, enabled "entry-level cybercrime," and left itself more exposed to risk. As TrendMicro Threat Response Engineer Rhena Inocencio wrote Monday:

The scale of the arrests -- rarely have so many cybercriminals been arrested in one go -- is entirely due to Blackshades' ease of use. It was easy to acquire; it had its own easily accessible website with its own domain (now seized by the FBI).

There were relatively few barriers to entry -- in contrast with, say, the Russian underground, where it is not always easy to earn the trust of would-be sellers of malware. The damage the users of Blackshades caused was real, but that was not necessarily because they were particularly skillful.

This was both good and bad. The relative lack of skill (and caution) by Blackshades users not only meant that law enforcement was able to apprehend them, but it also means that the barriers to entry are sufficiently low that anyone can now be a cybercriminal should one want to do so.

While the Blackshades' product and services were exemplary, Yucel's failings in finance and risk management might be his undoing.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2014 | 10:11:59 PM
Verdict and Adaptation
I will be interested to see the verdict for the owners of blackshades.

However, I believe it to be only a matter of time before this RAT source code is adapted and becomes more sophisticated. It will be renamed and will rear its ugly head once more. Malware many times seems to follow this trend, I can't see why such an easily usable software that provides all types of malicious capabilities wouldn't.
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
6/2/2014 | 9:24:00 AM
Re: Verdict and Adaptation
@RyanSepe  I totally agree, Ryan. Someone else will pick up the mantle of Blackshades, or someone else in the biz will resurrect it or build another new user-friendly RAT. I'm glad that they had such a successful sting. Hopefully some of the charges will stick. But it's certainly not the end.
McDaveX
100%
0%
McDaveX,
User Rank: Strategist
6/3/2014 | 10:51:48 AM
More interested in what charges will really stand up in court
This is going to be an odd one.

Blackshades is, obviously, an abomination, and despite the protestations of some of the customers, I very much doubt there is any legitimate reason for a normal person to buy such a thing.

However, I can see the same arguments would apply to (for example) lockpicks, spy cameras and dozens of other items that have few if any legitimate uses - however, absent specific laws, they have yet to make selling such things illegal (even if possession may be in many places) and I have yet to see any claims that the defendent himself actually took part in any of the illegal activity.

Absent that, holding him for conspiracy (much less having him yanked from a foreign country to do so) may turn out to be an expensive mistake.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?