Related Links

Related Stories

  • New ransomware strain uses localized demands
    A new ransomware campaign is on the loose, using localized webpages to appear legitimate to unsuspecting users.
  • New ransomware holds medical records with hostile encryption
    Russian hackers may be behind a new effort that is holding an Australian medical clinic's patient records for ransom. A drive with sensitive information has been hijacked and forcibly encrypted – and the attackers are demanding the oddly low price of around $4,200 to make the data available again.
  • Go Daddy DNS hack spreads ransomware
    Go Daddy, the world’s largest internet domain host and registrar, may soon be known for more than those racy Super Bowl ads featuring Danica Patrick: ransomware is being spread across its footprint.
  • Police-bust ransomware heads to Canada
    The ransomware scam that locks users out of computers under the guise of law enforcement is making the rounds in Canada.
  • FBI warns about Reveton ransomware scam
    The FBI is warning about an increase in "drive-by” Reveton malware disguised as a message from law enforcement; it locks the computer and tries to extort money from the victim.

Top 5 Stories


If you think Blackhole is dangerous, watch out for Cool Exploit

08 January 2013

A new exploit kit pushing out the Reveton ransomware was noticed in the latter half of last year. Connections to Blackhole were soon revealed. Now it seems that the same gang is behind both kits.

In November, the French researcher known as Kaffeine was examining the distribution of the Reveton malware via the new Cool EK (now better known as simply Cool Exploit). “Be ready to see same kind of post for Blackhole 2.0 (or update to 2.1) soon, as chances are HUGE that Paunch is indeed behind Cool EK code,” he wrote. Paunch is the nickname used by the Blackhole author.

What has emerged, however, is not the merging of Blackhole and Cool Exploit but their separation into two distinct products serving two distinct market segments. Blackhole, notes Brian Krebs, “has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb.” Now, however, the author (Paunch) “has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.”

It would seem that Paunch has made enough money from Blackhole to fund the development and expansion of Cool Exploit. Krebs quotes an associate of Paunch from an underground forum, “We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public (not counting the situations, when a vulnerability is made public not because of us). Not only do we purchase weaponized (ready) exploits, but also their descriptions and proof of concepts (with subsequent joint work with our specialists).”

While Blackhole can be rented from the Paunch gang for $500 per month, Paunch confirmed to Krebs that Cool Exploit will cost $10,000 per month. This will likely keep down the number of gangs using it – but Symantec has already discovered two. In its report Ransomware: a growing menace Symantec postulated that one of the gangs could be generating nearly $400,000 in profits per month – which makes investment in hiring Cool Exploit, replete with weaponized 0-day exploits, an attractive business proposition. “I guess the main point here is that there's enough money in ransomware to absorb such premium prices for unpublicized exploits without blinking. Which appalls but doesn't surprise me,” ESET senior research fellow David Harley told Infosecurity.

The clear danger is that 2013 will see a huge rise in the ransomware threat on the back of Cool Exploit. Since the delivering exploits are likely to be 0-days, defense will need to be concentrated on Reveton and its avoidance rather than Cool Exploit itself. “There’s a lot of generic advice on removing it [Reveton] around on the web,” comments Harley, “but a lot of it is out of date even if it was ever accurate. I'm sure that mainstream companies that offer cleaning tools will be able to offer advice if cleaning goes wrong, but personally I'd suggest contacting your AV product's support line as soon as you realize the problem, even if the support costs. It may work out cheaper than a failed removal.”

This article is featured in:
Encryption  •  Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×