Vulnerabilities / Threats
1/8/2013
02:53 PM
Connect Directly
RSS
E-Mail
50%
50%

Blackhole Botnet Creator Buys Up Zero Day Exploits

Crimeware toolkit is apparently so successful that creator been given $100,000 to shop for the latest vulnerabilities.

The gang behind the Blackhole crimeware toolkit has earned so much money from renting the malicious software that its creator has been given $100,000 to procure the best Web browser exploits and zero-day flaws.

That finding was first reported by security journalist Brian Krebs, who discovered the information in a post made on an underground, Russian-language cybercrime forum by an associate of "Paunch," the creator of Blackhole.

"We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public (not counting the situations, when a vulnerability is made public not because of us)," according to a translation of the post published by Krebs. "Not only do we purchase weaponized (ready) exploits, but also their descriptions and proof of concepts (with subsequent joint work with our specialists)."

The Blackhole toolkit is used to infect legitimate websites with malicious code, after which the infected website can be used to launch drive-by attacks that target browser vulnerabilities and then compromise the underlying PC. From there, attackers can steal login credentials for financial websites, make the PCs serve as spam relays or press the PCs into service as part of a botnet.

[ From Muslim bank hacktivists to major hacker busts, 2012 was a busy year for security experts. See what's ahead; read 7 Top Information Security Trends For 2013. ]

Blackhole isn't available to buy. Rather, it can only be rented for about $50 per day, $700 for three months or $1,500 for one year.

Success in the crimeware toolkit market is predicated on selling -- or in the case of Blackhole, renting -- software that successfully infects as many PCs as possible in the shortest possible amount of time. Accordingly, the most successful crimeware creators tend to rapidly add exploits for the latest known vulnerabilities to their software to help their buyers or subscribers compromise more PCs, thus maximizing their potential illicit revenue.

Not surprisingly, the gang behind the Blackhole toolkit regularly updates the software to allow it to exploit the latest zero-day flaws. Last year, for example, an exploit for a Java zero-day vulnerability was added to Blackhole less than 12 hours after the bug was first detailed publicly. The severity of the flaw and as its inclusion in a crimeware toolkit -- as well as in the open source Metasploit framework -- led security experts to recommend that Java be deactivated on all PCs, pending a fix from Oracle.

Blackhole's creator, Paunch, last year told Krebs via IM that the one exploit could have been worth $100,000 if sold on the zero-day vulnerability market. As that suggests, Paunch already seemed to have a familiarity with the buying and selling of zero-day vulnerability information.

Evidence that Blackhole has been paying off handsomely for its creators comes not just from Paunch's apparent $100,000 zero-day vulnerability budget, but also from the fact that the Blackhole gang now rents not just the basic version of the crimeware toolkit, but also a $10,000 per month exploit pack called the Cool Exploit Kit, which first began appearing in October 2012. So far, the pricey exploit pack has only been used by two ransomware criminal gangs, according to researchers. In particular, one of the gangs has been launching Raveton malware attacks that lock people's PCs, then demand the user pay a fine, supposedly to the FBI or another government agency. In reality, the money goes into the criminals' coffers.

In the case of Cool, the exploit pack last year included an innovative Windows vulnerability that first appeared in Duqu, according to a French information security researcher known as "Kafeine." Duqu was reportedly the product of a U.S. cyber-weapons program, thus illustrating that yesterday's espionage tool quickly becomes the inspiration for today's cybercrime malware.

Indeed, speaking recently by phone, Bit9 CTO Harry Sverdlove warned that one side effect of government-commissioned espionage malware is that it helps criminals rapidly advance the state of the art of their own malicious code. "It raises the bar for everyone -- the techniques, if not the source code," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/9/2013 | 6:49:07 PM
re: Blackhole Botnet Creator Buys Up Zero Day Exploits
Great question. The money often leads to Russia or former Soviet satellites. At least in the case of Russia, there seems to be an agreement between authorities and cybercrime gangs--and crimeware toolkit developers--that as long as they don't attack people in Russia, and agree to do the occasional favor for the Russian government, they can operate with impunity.

--Mathew Schwartz, InformationWeek
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/9/2013 | 6:16:07 PM
re: Blackhole Botnet Creator Buys Up Zero Day Exploits
I don't understand how these guys collect their payments? Doesn't "following the money" take authorities right to the criminals? Or do they somehow collect cash payments for "rent"?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.