It’s called “Blackhole.” It is nothing more or less than a suite of malicious software tools widely used by the planet’s cyber criminals. Like legitimate software, Blackhole is regularly updated to take advantage of the most recent exploits discovered for PCs. These include a grocery list of the usual suspects when it comes to your computer’s vulnerabilities: Microsoft Windows, Internet Explorer, Flash and Java.
“Blackhole is [typically installed on] web servers that then automatically infect personal computers when users visit a tainted site,” write Jim Finkle and Joseph Menn. Once cyber criminals have found a way into your PC, they will install more specialized programs to facilitate identity theft and a kind of virtual hostage-taking, in which users are told their computer is infected with a virus and they must purchase software to clean it off.
In March, an email spam campaign targeted Android users by sending them links to infected software packages or to Blackhole exploit kits. This served as a screening method, of sorts, according to Bogdan Botezatu, quoted by Lucian Constantin in CIO. “This way, every single potential victim is carefully profiled for flaws and redirected to the appropriate infection mechanism,” Botezatu points out. “This technique could either hint that cyber criminals who deal with Windows malware are expanding their business to other platforms, or that they are actually leasing their infrastructure to cyber criminals with a particular focus on Android.”
The popularity of Android has led to more specific targeting of it by “black hat” (“bad guy”) hackers. Of all the potential exploits, however, it is Java, according to itwire, that is the “tool of choice” for cyber criminals. Peter Dinham wrote of the dangers of the Blackhole software pack back in September: “The Blackhole pack includes exploits targeting vulnerabilities in Adobe Reader, Adobe Flash Player, Oracle Java and other popular software, and because the operation of all exploit packs relies on what is essentially the same algorithm, [anti-virus firm] Kaspersky says its experts picked three Java exploits from Blackhole to illustrate the working principles of exploit packs.” Because end users typically do not hurry to update their software, cyber criminals use Blackhole’s tools to target the gap between the identification of an exploit and the plugging of that hole by a subsequent, legitimate software patch.
Dinham also points out that Blackhole is protected by its users from being reverse-engineered by anti-virus companies in order to protect against it. “Kaspersky researchers also uncovered a trend,” he writes, “which attackers use to prevent the exploit pack’s contents from falling into the hands of experts at anti-malware companies and other researchers. To avoid exposure, cyber criminals may ‘blacklist’ IP addresses used by research companies – such as crawlers, robots, and proxy servers – to block exploits from launching on virtual machines.”
A year ago, SecurityWeek’s Rod Rasmussen called Blackhole “a business savvy cyber gang driving a massive wave of fraud.” Rasmussen chronicled the growth of the exploit-kit technique, “now responsible for a huge portion of the phishing style spam seen today.” Phishing is the practice of soliciting users’ personal information through a variety of deceptive means for purposes of fraud and identity theft.
One of the hotbeds of hacker activity is in Russia. Russian cyber criminals are notoriously difficult to bring to justice. It was unusual, then, when on Wednesday, Russian authorities arrested a man identified only as “Paunch” (his online persona) who is believed to be Blackhole’s distributor. Whether “Paunch” will actually be convicted is immaterial. Now that he and, presumably, his software tools are in government hands, hackers have mobilized to create the next Blackhole.
Computerworld‘s Jaikumar Vijayan writes that it won’t be long before another “black hat” tool takes Blackhole’s place on the world market for cyber crime. Paunch is believed to be the world’s largest source of exploit packs over the last two years. Together with Paunch’s “Cool Exploit Kit,” the Blackhole software has “fueld an underground economy in recent years,” the absence of which will produce “a fight on who will take [Paunch’s] place.”
Vijayan claims that several other exploit kits, including “Whitehole,” “Sweet Orange” and “Redkit Exploit,” are already vying to be the next big thing in the underground cyber-crime community. “Russian law enforcement authorities have yet to release a statement on [Paunch’s] arrest,” he writes, “but Troels Oerting, head of Europol’s European Cybercrime Center, told Techweek Europe that ‘I know it is true, we got some information, but I cannot say any more.’ The arrest is a big breakthrough for law enforcement and the security community in general.”
The true irony, as Rod Rasmussen puts it, is that the software development of cyber criminals like “Paunch” is not, in itself, illegal. “[H]e’s simply writing software that others then buy or rent to actually hack victims’ computers and steal from them. So while he’s perfectly aware of what people are doing with his creation, as he’s advertising its uses and actively providing customer support for it, the case against him is difficult to make and then prove in court. This means Paunch may be in business for a long time to come, and we’ll be dealing with this threat for the foreseeable future.”
The slippery nature of “black hat” criminals like Paunch, and the infrequency with which they are brought to justice, has given rise to the phenomenon of the “white hat” cyber vigilante – hackers who target other hackers in an effort to neutralize or mitigate the black-hat hackers’ malicious code. These “good” hackers are in turn targeted for retribution by the “bad” hackers, producing a cyber war that occurs below the surface of the electronic devices and the Internet infrastructure we all take for granted.
There is no escape from cyber criminals and cyber crime. As long as legitimate software developers create components of the virtual world, there will be cyber criminals seeking to exploit those components. Your only option, as a connected user, is to keep your software updated and your eyes open. You might also pray that Paunch, and every hacker like him, goes to prison for a very long time.