In November, the French researcher known as Kaffeine was examining the distribution of the Reveton malware via the new Cool EK (now better known as simply Cool Exploit). “Be ready to see same kind of post for Blackhole 2.0 (or update to 2.1) soon, as chances are HUGE that Paunch is indeed behind Cool EK code,” he wrote. Paunch is the nickname used by the Blackhole author.
What has emerged, however, is not the merging of Blackhole and Cool Exploit but their separation into two distinct products serving two distinct market segments. Blackhole, notes Brian Krebs, “has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb.” Now, however, the author (Paunch) “has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.”
It would seem that Paunch has made enough money from Blackhole to fund the development and expansion of Cool Exploit. Krebs quotes an associate of Paunch from an underground forum, “We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public (not counting the situations, when a vulnerability is made public not because of us). Not only do we purchase weaponized (ready) exploits, but also their descriptions and proof of concepts (with subsequent joint work with our specialists).”
While Blackhole can be rented from the Paunch gang for $500 per month, Paunch confirmed to Krebs that Cool Exploit will cost $10,000 per month. This will likely keep down the number of gangs using it – but Symantec has already discovered two. In its report Ransomware: a growing menace Symantec postulated that one of the gangs could be generating nearly $400,000 in profits per month – which makes investment in hiring Cool Exploit, replete with weaponized 0-day exploits, an attractive business proposition. “I guess the main point here is that there's enough money in ransomware to absorb such premium prices for unpublicized exploits without blinking. Which appalls but doesn't surprise me,” ESET senior research fellow David Harley told Infosecurity.
The clear danger is that 2013 will see a huge rise in the ransomware threat on the back of Cool Exploit. Since the delivering exploits are likely to be 0-days, defense will need to be concentrated on Reveton and its avoidance rather than Cool Exploit itself. “There’s a lot of generic advice on removing it [Reveton] around on the web,” comments Harley, “but a lot of it is out of date even if it was ever accurate. I'm sure that mainstream companies that offer cleaning tools will be able to offer advice if cleaning goes wrong, but personally I'd suggest contacting your AV product's support line as soon as you realize the problem, even if the support costs. It may work out cheaper than a failed removal.”