‘Paunch’ Arrest Puts Blackhole Hackers on Data Diet

When Russian authorities nabbed the alleged master hacker behind the Blackhole malware kit last week, they sent a shockwave through the digital underground.

As soon as news spread that Blackhole’s author, known as “Paunch,” and his partners had been arrested, the malware apparently began to suffer. Blackhole, typically updated once or twice a day, wasn’t updated for four days.

What’s more, the service used to encrypt the Blackhole kit went offline almost as soon as the first tweet about the pinch of Paunch hit Twitter.

“Paunch is a big deal,” Mikko Hypponen, chief research officer at F-Secure, told TechNewsWorld.

“According to our statistics, Paunch has been the biggest provider of exploit packs for the past two years,” he said.

“Blackhole and Cool Exploit Kit — both from Paunch — have fueled the underground economy,” added Hypponen. “Now that Paunch is off the market, we’re probably going to see a fight on who will take his place.”

Tarnished Brand

Paunch’s departure likely will hurt the Blackhole brand.

“Some of the attraction of Blackhole is the stream of updates that the author provided,” Kurt Baumgartner, a senior security researcher with Kaspersky Lab, told TechNewsWorld.

“Now that this flow has stopped, it is quite possible that other developers will not pick up the task. The kit may get stale on the shelf,” he said.

Without Paunch’s diligent attention, Blackhole’s uncanny ability to avoid scrutiny may wither.

“Blackhole is a very controlled and directly licensed kit,” observed Jim Walter, a managing director with the McAfee Threats Intelligence Service.

“Without the author’s support, ongoing updates and support will be unavailable, quickly making detection evasion ineffective and new exploits unavailable,” he told TechNewsWorld.

Weapons Bazaar

Paunch’s dedication to Blackhole is famous throughout the dark Web.

“Blackhole is the most popular exploit kit we see used by criminals by a wide margin, primarily because it is exceptionally well managed, and the owner-operator of the Blackhole service is very adept at staying up-to-date with the most recent vulnerabilities,” Alex Watson, director of security research for Websense, told TechNewsWorld.

How nimble was Paunch? New vulnerabilities — which often take software companies months to fix — typically made it into Blackhole within a week.

“If someone else takes over the infrastructure, they would need to maintain Paunch’s near-daily updates and maintain his proactive update schedule, or Blackhole will quickly lose its edge and cybercriminals will move away from it in favor of more recently updated kits,” Watson suggested.

Though news of Paunch’s arrest sparked jubilation in the security community, it was also a clarion call.

“These arrests are definitely good news,” Fraser Howard, a principal researcher at Sophos Labs, told TechNewsWorld. “Today’s malware is largely dependent upon crimeware kits and their associated infrastructure, so any law enforcement activity against the perpetrators is very welcome.”

While Paunch will be out of circulation for awhile, the arms bazaar where he sold his wares will continue to operate.

“Americans must be cognizant that there is a organized community of cyberweapons merchants who have developed and sold capabilities which bypass traditional cyberdefenses,” Tom Kellermann, vice president of cyber security for Trend Micro, told TechNewsWorld.

“In today’s cyberspace, one can buy a cybergun like the Blackhole Exploit Kit on a whim,” he pointed out. “Even with this arrest, this malware will continue to exist as other developers step into the void.”

Nicking Sensitive Data From Chrome

Google’s Chrome browser may be storing sensitive data in a way that makes it easy to steal, according to Identity Finder.

Chrome was storing hot items like Social Security and bank account numbers from secure websites in several of its buffers, the firm reported.

“Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system, or simple malware,” said Aaron Titus, general counsel and chief privacy officer, in a blog post.

Google has defended Chrome’s security, however.

“Chrome is the most secure browser and offers you control over how it uses and stores data,” spokesperson Jessica Kositz told TechNewsWorld.

“Chrome asks for permission before storing sensitive information like credit card details, and you don’t have to save anything if you don’t want to,” she pointed out. “Furthermore, data stored locally by Chrome will be encrypted, if supported by the underlying operating system.”

Chrome users can protect themselves from data exposure by modifying a few of the browser’s settings, noted Identity Finder’s Titus.

“Anytime you enter a credit card number or other [personal identifying information] into a form, be sure to Clear saved Autofill form data,” he recommended. “Empty the cache and Clear browsing history from the past hour and the information you typed will be erased.”

“Alternatively,” Titus added, “disabling Autofill or using Incognito mode will protect form data.”

Breach Diary

  • Oct. 7. Google Executive Chairman Eric Schmidt, speaking at a Gartner symposium in Florida, says a significant data breach of Google would be “devastating” to the company.
  • Oct. 7. California judge rules that Hartford Casualty Insurance Co. cannot avoid coverage of two class action lawsuits seeking US$20 million in damages from data breach at Stanford Hospital and Clinics hospital.
  • Oct. 7. Health officials in the Peel region of Canada begin informing some 18,000 people that their personal information was lost by the municipal government when an unencrypted SD card was stolen from an employee’s car.
  • Oct. 7. St. Louis University in Missouri begins notifying some 3,000 people their healthcare information may have been compromised in a sophisticated phishing scam. There is no evidence that the perpetrators of the scam accessed any sensitive information, the university says, but it is still offering one year of free credit monitoring to those affected by the attack.
  • Oct. 8. Christopher Sykes Jr., 38, a former employee at South Carolina’s Department of Health and Human Services, pleads guilty to illegally accessing personal information of 228,000 Medicaid patients. The maximum penalty for Sykes’ crimes is 25 years in prison.
  • Oct. 8. Hope Family Health in Tennessee reports that personal information of up to 8,000 people may be compromised due to theft of laptop from the home of an employee in the finance department of the organization. The information was password- and fingerprint-protected but not encrypted.
  • Oct. 10. Barnes & Noble asks Illinois judge to throw out rekindled class action against the company for a security breach affecting PIN pad devices in 63 of its stores. B&N argues new lawsuit is almost identical to litigation tossed by the judge last month because those filing it lacked legal standing.
  • Oct. 11. Skype is being investigated by Luxembourg’s data protection commissioner for passing user information without their knowledge to the NSA, The Guardian reports. Microsoft, which owns Skype, could face criminal and administrative sanctions if its involvment with the NSA proves to be true.

Upcoming Security Events

  • Oct. 17-18. 2013 Cryptologic History Symposium. Johns Hopkins Applied Physics Laboratory’s Kossiakoff Conference Center, Laurel, Md. Registration information to be announced.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros + VAT delegate/495 euros + VAT one-day pass; Discount from July 27-Sept. 27, 995 euros + VAT delgate/595 euros + VAT one-day pass; Standard from Sept. 27-Oct.27, 1,095 euros + VAT delegate/695 euros + VAT one-day pass; On site from Oct. 28-31, 1,295 euros + VAT.
  • Oct. 29. The Economics of Cyber Crime. 11 a.m. ET. Webinar sponsored by Dark Reading. Free with registration.
  • Nov. 6. FedCyber.com Government-Industry Security Summit. Crystal Gateway Marriott, 1700 Jefferson Davis Highway, Arlington, Va. Registration: government, free; academic, $100; industry, $599.
  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
  • Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
  • Dec. 9-12. Black Hat Training Sessions. Washington State Convention Center, Seattle, Wash. “The Art of Exploiting Injection Flaws,” $1,800, by Oct. 24; $2,000, by Dec. 6; $2,300 thereafter. “The Black Art of Malware Analysis,” $3,800, by Oct. 24; $4,000, by Dec. 5; $4,300 thereafter. “CNSS-4016-I Risk Analysis Course,” $3,800, by Oct. 24; $4,000, by Dec. 5; $4,300 thereafter.
  • Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.
  • Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, $415; Oct. 21-Dec. 1, $575; After Dec. 1, $725.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels