Russian authorities have detained a shadowy cybercriminal known only as “Paunch,” who is responsible for unleashing Blackhole, one of the most dangerous and pervasive malware suites in the history of the Internet.
Reports of the arrest of Paunch were confirmed by the Russian
police to local media and Europol, but officials have so far
refused to disclose the real name of the criminal, whose
activities have likely earned him millions of dollars.
Created in 2010, Blackhole Exploit Kit infects ordinary users’
computers through one of two main techniques: either by making
sure that every time someone enters a particular legitimate
website, which covertly downloads malware onto the web surfer’s
hard drive, or by making a user click on a spam letter that
contains a link to a fake website that does the same thing.
Once the malware is on the computer, it can harm the user in
myriad ways, depending on what sub-programs are installed. Most
common malware extensions try to steal the user’s financial data
from their hard drive, log in all their keystrokes to identify
their passwords, or trick them into paying for anti-virus
software to clear up a non-existent virus.
Blackhole was updated as often as twice a day to stay one step
ahead of anti-malware software, though security experts say that
no new versions have appeared this week, another indication that
Paunch is now behind bars.
The success of Blackhole was predicated not only on its
functional versatility and an ability to avoid detection by
anti-virus software, but also on an innovative business model.
Paunch did not appear to use Blackhole to commit cybercrime
himself. Instead he created a price plan, according to which
Internet criminals could rent the suite, which would be hosted on
Paunch’s servers, and use it for their own purposes. Listed
prices varied from $70 per day, to a subscription of $1,500 a
year.
"Both Blackhole and its successor Cool have been very
popular,” Mikko Hypponen, chief research officer at
anti-virus firm F-Secure, told the BBC.
"Users didn't have to be very technical to operate them –
there was a manual that came with them – they just had to get
them running."
Though estimates of Blackhole’s prevalence are fluid, and vary
between different anti-virus companies, it was undoubtedly a
dominant player in the malware market starting from late 2011. At
one point last year, 91 percent of all new computer infections
were transmitted through the suite, according to anti-virus
makers AVG, and Blackhole was responsible for nearly half the
infections for 2012.
But in the copyright-averse world of illegal software, the
success of Blackhole spawned a whole raft of copycats that
toppled Blackhole and its less well-known successor Cool from
their prime positions. Last year, Russian magazine Hacker
reported that to keep up, Paunch was offering $100,000 for fresh
security flaw exploits in popular software that would allow the
program to infiltrate computers in new ways.
AVG reports on its website that Blackhole is currently only the
28th most popular malware transmitter, responsible for about 1
percent of new viruses, with Cool not even in the top 1,000
threats.
“It’s worth remembering that nature abhors a vacuum, and there
would surely be other online criminals waiting to take their
place, promoting their alternative exploit kits and malicious
code,” prominent security expert Graham Cluley wrote on his
blog.
But even if Blackhole in its current form appears to be on its
way out, the arrest of a prominent malware maker, particularly in
Russia, where pursuit of online criminals has historically been
lackadaisical, still represents a breakthrough for the
authorities, especially if his associates have been caught in the
dragnet. Industry experts agree that more than two-thirds of all
malware is currently produced in Russia.
“It’s a very big deal – a real coup for the cybercrime-fighting
authorities, and can hopefully cause disruption to the
development of one of the most notorious exploit kits the web has
ever seen,” wrote Cluley.