Blackhole malware toolkit creator 'Paunch' suspect arrested

Russian authorities have arrested a man believed to be the creator of the malicious software kit Blackhole.

On Tuesday, reports suggested that a suspect, known in hacking circles as 'Paunch,' was arrested by Russian police. The source is a former Russian police detective in contact with Russia's federal government.

A tweet from Maarten Boone, a security researcher at Fox-IT, a Dutch security firm quickly took over Twitter, resulting in 24 hours of confusion and a lack of detail.

However, two pieces of evidence suggested that updates for the kit had indeed stalled.

Security researcher Kafeine, who has been tracking Blackhole, showed that while Paunch usually updates the malicious Java applet once or twice a day, nothing has been altered in over four days.

In addition, Russian service crypt.am, which is used to encrypt the Blackhole exploit kit, has been offline since the first tweet suggesting that Paunch had been arrested.

In addition, MalwareBytes found that the same Java file is present in its own honeypot collection:

The researchers believe that this may be the last update Blackhole users are likely to see, "unless somebody picks up the torch." The first instance recorded, on 3 October 10:52 PM PT is below:

Path and name: %temp%\bracket-discuss_truly.jar
Size: 29253
MD5: 3478966161745cf3401b2a534523a4bc
Type: EK_Java_Exploit
Exploit URL: http://downtimeskip . biz/labels/bracket-discuss_truly.php b1ab1010aa=bab000a0abb&1abbb1a01bb010bb1=aba1baa0abba111a0
IP address:173.254.250.214
Date: 2013-10-03-22-52-21

The European Union's law enforcement agency, Europol, later confirmed the arrest of a "high-level suspected cyber-criminal," but did not give further details.

Crimeware is developed for a number of purposes -- kits like Zeus focus on creation and management of a malware payload, others control web traffic, and others focus on infecting users through web attacks -- and one example is Blackhole. The software kit is focused on "drive-by" download attacks, and allows cybercriminals to inject malware on to a personal computer by redirecting users through phishing emails or visiting compromised websites.

Once a user visits a malicious page, a payload is forwarded on to the system, where vulnerabilities in software are scanned for and exploited. Once flaws are found, malicious software can be downloaded on to a PC without the user's knowledge, including malware and trojans.

The kit consists of a series of PHP scripts designed to run on a web server, and the scripts are all protected with the commercial ionCube encoder. Blackhole targets a range of client vulnerabilities, with recent emphasis on flaws in Adobe Reader, Flash and Java.

Hackers can rent Blackhole for different periods of time, with an annual license costing $1500. The exploit kit was first released in late 2010, and the latest version, Blackhole 2.0, was released in 2012, taking advantage of modern vulnerabilities in commonly used software.

AVG says the Blackhole Exploit Kit is currently ranked 24th in the world of online malware, affecting 36199 websites in 218 countries.

Blackhole remains one of the most popular crimeware kits available, although competition from other developers has resulted in a slight fall in use.

Following the arrest, MalwareBytes researchers believe that criminals who are currently renting the Blackhole exploit kit are unlikely to receive updates, and eventually "the exploit and payload are going to go stale." Those who host the kit itself could make alterations to the software to keep it alive -- as long as they are skilled enough.

However, it is likely hackers will soon turn to other exploit kits, should the arrest of the man believed to be Paunch prove to be true.

Senior security researcher at MalwareBytes Jerome Segura, said the arrest of Paunch would be "a major event in the exploit kit business, one that could trigger a chain reaction leading to more arrests and disruption."

The alleged crimeware creator may not have been silent, however. Security researcher Xylitol tweeted that a message had been posted on Darkode.com from Blackhole's author account -- Paunch -- and translates as "I will never go to jail! Do not worry friends."