Blackhole Exploit Kit Successor Years Away

msm1267 writes "The Blackhole Exploit Kit has been out of commission since October when its alleged creator, a hacker named Paunch, was arrested in Russia. The kit was a favorite among cybercriminals who took advantage of its frequent updates and business model to distribute financial malware to great profit. Since the arrest of Paunch, however, a viable successor has yet to emerge--and experts believe one will not in the short term. This is partially the reason for the increase in outbreaks of ransomware such as CryptoLocker as hackers aggressively attempt to recover lost profits."

Sweet Memories

[Lisias]

When I was young and naive, and my worst worry was the Back Orifice from The Cult of the Dead Cow. :-)

Re:Years Away? I call Shenanigans

[mlts]

IMHO, what we have seen in the CryptoLocker game is just the beginning. We have close to a perfect storm here -- Bitcoin being a currency that is easy to use no matter where one is, provided Internet access is obtainable [1]. For the most part, security is a joke because people/businesses either don't care, view it as having no ROI, or just view it will happen to "the other guy." Unlike incoming Internet connections which will get stopped by at the minimum, a perimeter firewall, the untrusted code on an external web page makes it well into the depths of a company. Most companies might have something to block the nudie pics, or use a device to force all SSL transactions to go through a transparent listening/MITM proxy (BlueCoat for example), but usually that is the extent of how far they go. Blocking suspect malware IP addresses tends to be rare unless a company is on top of their game.

With this in mind, it might take a single browser or add-on weakness for an organization to get malware deployed. Since most Web browsers run as the user, it means the malware usually ends up with a full unlimited user context. Barring Web based malware, there is always the good old fashioned "foo.pdf .exe" Trojan.

CryptoLocker is just version 2.0 (v1.0 being the early ransomware with an easily factored key being the same, or a flimsy encryption algorithm.)

I can see RansomWare 3.0, if it manages to get root/Administrator authority, installing a low level driver. It will encrypt files, and backup programs will back up the encrypted stuff (a la Microsoft's EFS), but the user won't know because the driver will allow reading/writing for a period of time. Then, after a cutoff date, the private key is wiped, and the driver is dropped from the system. This not just encrypts the files that are accessible, but it also ensures that recent backups will be completely and utterly useless for restores. The private key can also just never be stored on disk, and quietly fetched from the malware owner's website every time the machine reboots.

To boot, the software will detect where the software is installed and base the ransom of where it is located. If a police station, the demand to release all prisoners in the county jail can be made. A government office means that the criminals can demand someone be fired. At the extreme, if the files locked up are valuable enough, the organization can demand an execution of someone they don't like.

Now the question -- how can we prevent this. Well, it costs money. Someone can invent software that can check backups and detect files that were encrypted, but in reality, it means RansomWare 3.1 will just encrypt the file in a valid .doc, .xls, or other format. It will take keeping a round of backups for a long time. It will take better heuristics so an AV utility [2] can detect some process fiddling over time with files and stop it. It might even require machines be rebooted from offline media and scanned in that condition, and instead of a scan looking for anything out of the ordinary, the reverse happening -- a scan looking for anything that isn't a signed binary or valid Registry entry in order to find rootkits (assuming ones that just don't exist in RAM.) It might even require a new computer architecture with a hypervisor that can suspend the entire machine, then scan the RAM image and the disk every so often.

[1]: BitCoin isn't anonymous, but there are a growing number of "wallet mixing"/laundering services popping up. I'm sure a lot of them likely will just make off with any coins they get (a "100% commission"), but even if a fraction if the haul gets handed to the person coming up to the table, it can still be a good haul for the person trying to launder.

[2]: AV utilities tend to be a joke, but we can hope they might do the job.

Re:Not Hackers

[VortexCortex]

What exactly is a generate criminal, and how do they differ from degenerate criminals?

Go to any parliament, or any of the Presidential/Prime Minister offices and you will find them.

But of course, they are worse than their degenerate counterparts.

Yes. But it is the regenerate criminal you should fear. Computing is almost to the point where a bot net can be host to more CPU cycles than required for sentience. One species' atrocity is another's way of life.