The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.
An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed. In early October 2012, security researchers began noticing that a new exploit pack called Cool Exploit Kit was showing up repeatedly in attacks from “ransomware,” malicious software that holds PCs hostage in a bid to extract money from users.
“Kafeine,” a French researcher and blogger who has been tracking the ties between ransomware gangs and exploit kits, detailed Cool’s novel use of a critical vulnerability in Windows (CVE-2011-3402) that was first discovered earlier in the year in the Duqu computer worm. Duqu is thought to be related to Stuxnet, a sophisticated cyber weapon that experts believe was designed to sabotage Iran’s nuclear program.
About a week after Kafeine highlighted the Duqu exploit’s use in Cool, the same exploit showed up in Blackhole. As Kafeine documented in another blog post, he witnessed the same thing happen in mid-November after he wrote about a never-before-seen exploit developed for a Java vulnerability (CVE-2012-5076) that Oracle patched in October. Kafeine said this pattern prompted him to guess that Blackhole and Cool were the work of the same author or malware team.
“It seems that as soon as it is publicly known [that Cool Exploit Kit] is using a new exploit, that exploit shows up in Blackhole,” Kafeine said in an interview with KrebsOnSecurity.
As detailed in an excellent analysis by security firm Sophos, Blackhole is typically rented to miscreants who pay for the use of the hosted exploit kit for some period of time. A three-month license to use Blackhole runs $700, while a year-long license costs $1,500. Blackhole customers also can take advantage of a hosting solution provided by the exploit kit’s proprietors, which runs $200 a week or $500 per month.
Blackhole is the brainchild of a crimeware gang run by a miscreant who uses the nickname “Paunch.” Reached via instant message, Paunch acknowledged being responsible for the Cool kit, and said his new exploit framework costs a whopping $10,000 a month.
At first I thought Paunch might be pulling my leg, but that price tag was confirmed in a discussion by members of a very exclusive underground forum. Not long after Kafeine first wrote about Cool Exploit Kit, an associate of Paunch posted a message to a semi-private cybercrime forum, announcing that his team had been given an initial budget of $100,000 to buy unique Web browser exploits, as well as information on unpatched software flaws. Here is a portion of that post, professionally translated from Russian:
Dear Ladies and Gentlemen!
Everyone is aware of the problem which exists now on the exploit market! To solve this problem, our team prepared the following exclusive program of purchasing new browser and browser plugin vulnerabilities. Not only do we buy exploits and vulnerabilities, but also improvements to existing public exploits, and also any good solutions for improving the rate of exploitation.
The “meat” of the project: We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public (not counting the situations, when a vulnerability is made public not because of us).
Not only do we purchase weaponized (ready) exploits, but also their descriptions and proof of concepts (with subsequent joint work with our specialists).
Paunch’s team emphasized that they would not buy exploits that were already public, and that newbies to the fraud forum who nevertheless had good exploits could work with the crimeware team via an agreed-upon 3rd party.
It’s unclear how many takers Paunch is attracting to Cool Exploit Kit with its hefty price tag, but according to Kafeine and others, the new kit is being used exclusively by two different crimeware gangs. One of the gangs is using Cool to spread the Reveton ransomware that I profiled recently.
If any miscreants have the ability to pay $10,000 per month to rent an exploit pack, the gangs spreading Reveton certainly fit the bill. Symantec recently published an in-depth analysis of the ransomware scourge (PDF), and in it the company managed to gain access to a control panel used by one ransomware gang that showed the number of incoming connections to the booby-trapped sites used in the scheme. Symantec estimated that this group extorted from ransomware victims more than $30,000 per day, and likely close to $400,000 per month. This is on par with the amounts I found one ransomware operation was earning back in August 2012.
The best way to avoid ransomware and other nasties is to keep your system up-to-date with the latest security patches, and to remove software you don’t need or use. If your system does get infected with ransomware, by no means should you pay the ransom. F-Secure offers a free removal tool, and Microsoft claims its Windows Defender Offline Disc can remove most ransomware.