Russian police and a team of cybersecurity experts recently announced they had arrested the coder known as “Paunch,” the alleged author and malware kingpin behind the BlackHole exploit kit, along with 12 other affiliated individuals. The arrest appears to offer new details into the methodology behind attacks on vulnerable software and the market for zero-day vulnerabilities, Krebs on Security reported.
Inside the arrest
In a Dec. 6 announcement posted online in Russian, the Russian Ministry of the Interior, or MVD, noted that Paunch and 12 others had been arrested in October and accused of stealing money by using Trojans to access protected information such as account logins, IDG News Service reported. The announcement was accompanied by a report from Russian security firm Group-IB, which assisted with the investigation. In the report, Group-IB noted that Paunch, whose real name has not yet been released, is 27 years old and was arrested on Oct. 4 in Togliatti, a city in the region of Samara Oblast, which is near Kazakhstan.
Paunch reportedly had more than 1,000 customers and was making around $50,000 per month from his work, Krebs on Security noted. In one picture released with the report, he is shown posing with his car, a Porsche Cayenne. BlackHole is a crimeware kit that has been around since at least 2010. It’s an easy-to-use kit that includes a wide variety of browser vulnerabilities. Users could rent the kit from Paunch for between $500 and $700 per month, and they could add in “crypting” services designed to make the malware undetectable to antivirus software for an extra $50. He also was part of the team behind a higher-end exploit kit called Cool Exploit Kit, which could be rented for $10,000 per month. While the MVD estimates the earnings from BlackHole totaled around $2.3 million for Paunch and his partners, the amount of losses that can be tied to the exploit kit are likely much higher.
“I would argue that BlackHole was perhaps the most important driving force behind an explosion of cyberfraud over the past three years,” Brian Krebs wrote. “A majority of Paunch’s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.”
The zero-day market
Paunch and BlackHole are central to several important conversations currently happening in the cybersecurity world, particularly with regard to the market for zero-day vulnerabilities. The group made headlines earlier in the year by announcing a $100,000 budget for purchasing new browser vulnerabilities. And although the arrest of Paunch may be a temporary setback, the market for such software security exploits may only be growing. Krebs on Security noted that shortly thereafter, a coder affiliated with Paunch who uses the name “J.P. Morgan” announced he was increasing the exploit budget for browser vulnerabilities to $200,000. In the wake of Paunch’s arrest, J.P. Morgan announced intentions to build a new exploit kit, with a budget of $450,000 for buying browser vulnerabilities.
While the arrest of the team behind BlackHole is certainly cause for celebration among software security professionals, the revelations about the money and logistics behind such projects is cause for ongoing concern. Given the financial incentives, hackers are unlikely to abandon the search for zero-days any time soon, making it of paramount importance for developers to build better security into their products from the outset. Using tools like static analysis software, coders can ensure they catch errors early in the development process and minimize their security exposure.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.