Demise of Blackhole Created Only a Temporary Vacuum in Exploit Kit Incidents

Blackhole had become the exploit kit of choice for cybercriminals. But the arrest of its author threw the malware industry into disarray
Blackhole had become the exploit kit of choice for cybercriminals. But the arrest of its author threw the malware industry into disarray

This latest report includes a new analysis introduced for the first time: the most compromised institutions. The type of institution is then categorized as small, medium or large. Overall, the analysis shows that incidents in the second half of 2013 were slightly down on those from the first half: down from 47% of customers to 42%. The detail, however, shows that credit unions suffered the most security incidents, with credit unions occupying five of the top six positions. One medium-sized credit union suffered 42 separate incidents during the six-month period – overall, 42% of companies suffered at least one incident.

On a month-by-month basis, "In the second half of the last year, we observed a dramatic (but temporary) drop in incidents," notes the report. From July to September the number of incidents declined, but then climbed back to above the July figure by December. The December high is probably partly seasonal; but the September low was undoubtedly caused by the arrest of Paunch, the author of the Blackhole exploit kit.

Blackhole had become the exploit kit of choice for cybercriminals. But the arrest of its author threw the malware industry into disarray. Silversky's analysis shows that Blackhole incidents among its users tumbled from the number one position in the first half of 2013 to the number nine position in the second half. But it also shows that both nature and cybercrime abhor a vacuum; and as the Blackhole threat dwindled, others increased.

From being responsible for just 4% of incidents and not in the top ten in the first half of last year, the ZmEU vulnerability scan threat jumped to #1 position in the second half – responsible for 30% of all incidents. Darkleech remained in the #2 spot, but Darkleech incidents decreased from 10% to 4% of the total. Other increasing threats came Andromeda C&C (4%), CryptoLocker (2%), ZeroAccess Rootkit C&C (2%) and Pony Loader C&C (2%).

The last three of these threats came from nowhere to support ZmEU in filling the gap left by Blackhole. CryptoLocker is worth noting since it is discrete malware rather than an exploit kit. "This piece of ransomware surfaced in September 2013," explains the report, "and has become rapidly more prevalent. It typically spreads via spam emails containing malicious attachments. CryptoLocker uses a public key to encrypt files on local disks, network shares and USB devices. The corresponding private key is stored on a command & control (C&C) server and is under the attackers’ control. Victims must pay the attacker with cyber-currency, such as Bitcoin or MoneyPak, to retrieve the private key to decrypt files – typically a few hundred dollars."

The message that these statistics give to the security industry is that it cannot rely on law enforcement to contain cybercrime and cybercriminals. The arrest of Paunch and the demise of Blackhole certainly had a dramatic effect on cybercrime incidents – but it was only a temporary effect. Criminals rapidly switched to alternative crime kits, so that by the end of the year the actual number of security incidents was higher than it had been before the Blackhole extinction.

What’s Hot on Infosecurity Magazine?