06:16 PM
Connect Directly

Blackshades Boss Pleads Not Guilty

The BlackShades organization was run like a real business -- salaried staff, detailed customer lists, support teams -- and that was a key factor in both its success and its demise.

Alex Yucel, 24, the alleged co-author of the Blackshades remote access Trojan (RAT) and owner-operator of the BlackShades organization, pleaded not guilty Thursday to multiple cybercrime charges levied against him last week as part of a major FBI sting that netted more than 90 other arrests. (BlackShades co-author Michael Hogue, a.k.a. "xVisceral," arrested in June 2012, has pleaded guilty.) If convicted, Yucel, a.k.a. "marjinz," a.k.a. "Victor Soltan," faces up to 15 years in prison -- and the evidence against him is extensive.

As described in court documents describing charges against another Blackshades employee, law enforcement has records of Yucel paying to lease computers, employee reviews he wrote, employee payment records, and chains of emails between him and an insider who turned FBI informant.

The BlackShades organization was run like a real business -- salaried staff, detailed customer lists, support teams -- and that was a key factor in both its success and its demise.

As for the malware itself (detected as WORM_SWISYN.SM), it is a very robust, very user-friendly RAT toolkit. As Symantec describes, "A simple point and click interface allows them to steal data, browse the file system, take screenshots, record video, and interact with instant messaging applications and social networks.

It can be used to log keystrokes, launch denial-of-service attacks, and download and run malware onto the affected system. It can spread via USB drives, social network accounts, or instant messages; it even automatically generates a draft of the message. It includes built-in marketplaces for buying bots and crypters.

Brian Wallace at Cyclance gives a good rundown of the malware's features, adding:

Blackshades, however, is particularly infamous for being used by would-be stalkers and other such unsavory elements to spy on women. Blackshades allows the remote attacker to turn on the victim PC’s microphone and/or webcam. It’s not the first malware family to include this behavior, but it appears to be one of Blackshade’s most commonly used “features.”

In addition to being a friendly one-stop-shop, the organization has provided professional service. Court documents state that Yucel had hired a marketing director, a website developer, and a team of customer service representatives. The malware was frequently updated. The organization had a detailed database of over 6,000 customer profiles.

It seemed that the people running BlackShades forgot that they were running an illegal operation. The $40 price tag for their product and services -- plus the fact that older versions of the software were available for free -- did not reflect the high risk of doing business. Although the low price helped make BlackShades popular, the malware wasn't terribly lucrative. Law enforcement estimates that the company made approximately $350,000 over the period from September 2011 to April 2014 -- that's only an average of $7,095 per month to split between all employees.

Although the US government arrested over 90 Blackshades employees and customers, seized more than 1,900 domain names used by Blackshades customers to control infected computers, and shut down the site used to sell the product, security experts say that the threat still exists.

Adam Kujawa, lead of the malware intelligence team at Malwarebytes, wrote today that after just a little searching he found and downloaded a freemium version of BlackShades -- not as up-to-date or feature-rich as the most recent version, but still dangerous. "So if you are wondering if an outdated version of Blackshades is even a threat," writes Kujawa, "the answer is absolutely."

On the plus side, says Kujawa, the BlackShades business was suffering a bit recently anyway. He writes:

Fortunately, the interest in Blackshades has decreased due to an array of different issues with the product. Customers are no longer trusting of the tool, not only because of the arrests but also because of bugged versions discovered that opened a backdoor onto the attackers' system, essentially turning a bad guy into just another victim.

TrendMicro researchers say that another problem BlackShades brought upon itself was that, because of its very accessible, user-friendly nature, it appealed to amateur ne'er-do-wells, enabled "entry-level cybercrime," and left itself more exposed to risk. As TrendMicro Threat Response Engineer Rhena Inocencio wrote Monday:

The scale of the arrests -- rarely have so many cybercriminals been arrested in one go -- is entirely due to Blackshades' ease of use. It was easy to acquire; it had its own easily accessible website with its own domain (now seized by the FBI).

There were relatively few barriers to entry -- in contrast with, say, the Russian underground, where it is not always easy to earn the trust of would-be sellers of malware. The damage the users of Blackshades caused was real, but that was not necessarily because they were particularly skillful.

This was both good and bad. The relative lack of skill (and caution) by Blackshades users not only meant that law enforcement was able to apprehend them, but it also means that the barriers to entry are sufficiently low that anyone can now be a cybercriminal should one want to do so.

While the Blackshades' product and services were exemplary, Yucel's failings in finance and risk management might be his undoing.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
5/30/2014 | 10:11:59 PM
Verdict and Adaptation
I will be interested to see the verdict for the owners of blackshades.

However, I believe it to be only a matter of time before this RAT source code is adapted and becomes more sophisticated. It will be renamed and will rear its ugly head once more. Malware many times seems to follow this trend, I can't see why such an easily usable software that provides all types of malicious capabilities wouldn't.
Sara Peters
Sara Peters,
User Rank: Author
6/2/2014 | 9:24:00 AM
Re: Verdict and Adaptation
@RyanSepe  I totally agree, Ryan. Someone else will pick up the mantle of Blackshades, or someone else in the biz will resurrect it or build another new user-friendly RAT. I'm glad that they had such a successful sting. Hopefully some of the charges will stick. But it's certainly not the end.
User Rank: Strategist
6/3/2014 | 10:51:48 AM
More interested in what charges will really stand up in court
This is going to be an odd one.

Blackshades is, obviously, an abomination, and despite the protestations of some of the customers, I very much doubt there is any legitimate reason for a normal person to buy such a thing.

However, I can see the same arguments would apply to (for example) lockpicks, spy cameras and dozens of other items that have few if any legitimate uses - however, absent specific laws, they have yet to make selling such things illegal (even if possession may be in many places) and I have yet to see any claims that the defendent himself actually took part in any of the illegal activity.

Absent that, holding him for conspiracy (much less having him yanked from a foreign country to do so) may turn out to be an expensive mistake.
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio