The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.
An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed. In early October 2012, security researchers began noticing that a new exploit pack called Cool Exploit Kit was showing up repeatedly in attacks from “ransomware,” malicious software that holds PCs hostage in a bid to extract money from users.
“Kafeine,” a French researcher and blogger who has been tracking the ties between ransomware gangs and exploit kits, detailed Cool’s novel use of a critical vulnerability in Windows (CVE-2011-3402) that was first discovered earlier in the year in the Duqu computer worm. Duqu is thought to be related to Stuxnet, a sophisticated cyber weapon that experts believe was designed to sabotage Iran’s nuclear program.
About a week after Kafeine highlighted the Duqu exploit’s use in Cool, the same exploit showed up in Blackhole. As Kafeine documented in another blog post, he witnessed the same thing happen in mid-November after he wrote about a never-before-seen exploit developed for a Java vulnerability (CVE-2012-5076) that Oracle patched in October. Kafeine said this pattern prompted him to guess that Blackhole and Cool were the work of the same author or malware team.
“It seems that as soon as it is publicly known [that Cool Exploit Kit] is using a new exploit, that exploit shows up in Blackhole,” Kafeine said in an interview with KrebsOnSecurity.
As detailed in an excellent analysis by security firm Sophos, Blackhole is typically rented to miscreants who pay for the use of the hosted exploit kit for some period of time. A three-month license to use Blackhole runs $700, while a year-long license costs $1,500. Blackhole customers also can take advantage of a hosting solution provided by the exploit kit’s proprietors, which runs $200 a week or $500 per month.
Blackhole is the brainchild of a crimeware gang run by a miscreant who uses the nickname “Paunch.” Reached via instant message, Paunch acknowledged being responsible for the Cool kit, and said his new exploit framework costs a whopping $10,000 a month.
At first I thought Paunch might be pulling my leg, but that price tag was confirmed in a discussion by members of a very exclusive underground forum. Not long after Kafeine first wrote about Cool Exploit Kit, an associate of Paunch posted a message to a semi-private cybercrime forum, announcing that his team had been given an initial budget of $100,000 to buy unique Web browser exploits, as well as information on unpatched software flaws. Here is a portion of that post, professionally translated from Russian: