The researcher, known as Kafeine, wrote in a blog post that the use of the Blackhole hack tool has almost completely ceased, reporting he has not seen a new variant or system update for the exploit kit in weeks. The news comes less than six weeks after Russian police arrested a man believed to be the author of the exploit kit.
In its heyday Blackhole was the most commonly used exploit kit in the world. Security firm F-Secure estimated that Blackhole accounted for 27 percent of the exploit kit market in March. Exploit kits are publicly traded hack tools that let criminals automatically mount a variety of cyber scams and attacks.
In the past the Blackhole exploit kit has been
linked to numerous phishing scams that sent malware-laden messages
claiming to come from legitimate companies, such as the BBC and CNN.
Before Paunch's arrest the Blackhole kit received a constant stream of
updates designed to let it target newly discovered vulnerabilities.
FireEye malware research engineer Josh Gomez told V3
the rapid decrease in Blackhole usage is likely due to the lack of new
vulnerability updates. "Blackhole's curator (Paunch) is no longer
actively maintaining the exploit kit since his arrest. We see the drop
in activity and it correlates to the timeframe of his arrest," he said.
"The Blackhole and Cool exploit kits were
typically rented and leased, allowing the author to keep tighter control
over the framework and offer an enhanced level of service or
customisation to customers. With his removal from the exploit kit
marketplace, Blackhole customers will find themselves needing to switch
to other exploit kits as current Blackhole services expire or are
dismantled."
Gomez said it is likely that a new criminal
group will fill the gap and release a new exploit kit. "While we don't
know of any specific groups picking up where Blackhole left off, it has
left a void that is sure to be filled by other exploit kits or copycat
authors who want to capitalise on the opportunity to bring new crimeware
tools to the marketplace," he said.
Global technical consultant at Damballa and
ex-Scotland Yard cybercrime unit detective Adrian Culley mirrored
Gomez's sentiment, arguing that it will only be a matter of time before a
new kit appears.
"Fighting the source of malware is much like trying to slay the mythical Hydra, for each head you cut off, two more will grow in its place. Given the difficulties in indexing the web, and seeing what exactly lies behind html pages, it is highly unlikely that this is the last we have seen of this malware. The dark web is like dark matter, we know it's there, but it's very hard to say exactly where, and what the dark data consists of," he said.
"Fighting the source of malware is much like trying to slay the mythical Hydra, for each head you cut off, two more will grow in its place. Given the difficulties in indexing the web, and seeing what exactly lies behind html pages, it is highly unlikely that this is the last we have seen of this malware. The dark web is like dark matter, we know it's there, but it's very hard to say exactly where, and what the dark data consists of," he said.
These comments mirror past criminal behaviour
patterns following an exploit kit author's arrest. A similar pattern
occurred earlier this year when a man believed to have created the Phoenix exploit kit was arrested.
No comments:
Post a Comment