Blackhole Exploit Kit Successor Years Away 108
msm1267 writes "The Blackhole Exploit Kit has been out of commission since October when its alleged creator, a hacker named Paunch, was arrested in Russia. The kit was a favorite among cybercriminals who took advantage of its frequent updates and business model to distribute financial malware to great profit. Since the arrest of Paunch, however, a viable successor has yet to emerge--and experts believe one will not in the short term. This is partially the reason for the increase in outbreaks of ransomware such as CryptoLocker as hackers aggressively attempt to recover lost profits."
What? (Score:4, Funny)
This isn't a story about wormholes and warp drive? It's just a story about hackers?
What a gyp!
Re: (Score:1, Offtopic)
Re: (Score:1)
So you don't like the fact that I used the word "gyp," but you feel free to use "crap", and impose a racial context? I don't consider "wiktionary" an authoritative reference, and even then that definition contains caveat and uncertainty. Other far more authoritative references don't burden that word so. Feel free to pester someone else or I may become niggardly in my civility for a time. (I suggest you look that one up too.)
Re: (Score:2)
This isn't a story about wormholes and warp drive? It's just a story about hackers?
IMHO, the title of the article should have been "Blackhole Exploit Kit Successor Light years Away".
Re: (Score:2)
In wales, does someone welsh on a bet?
Re: (Score:1)
Not without Dutch courage. ;)
Re: (Score:2)
Hmmm...never thought of that one. I've usually seen it spelled 'welch.'
Re:What? (a gyp) (Score:2)
Re: (Score:2)
And you both need to get over it. English has only descriptive dictionaries not prescriptive ones, anyone can assign any meaning to a word they like. I think from context it'd pretty unlikely ggp post was implying anything racial. Irrespective of the etemology "gyp" is used commonly today to simply mean a cheat of some kind, long separated from any disparaging racial stereotype, quite honestly the best way to get these racial stereotypes to go away is to stop finding reasons, or rather excuses to get al
Re: (Score:2)
And you both need to get over it. English has only descriptive dictionaries not prescriptive ones, anyone can assign any meaning to a word they like.
The english language is not Fortran, where we should just redefine the value of four because we thought it'd be hip and cool. Language only works when people agree on what the words mean. So yes, anyone can assign any meaning to a word... but everyone else will (rightly) look at them as a dumb bastard who should be beaten to death slowly with a dictionary... and possibly the Chicago Style Manual too, because beating knowledge into people is a time-honored tradition amongst people who feel their IQ points sl
Re: (Score:2)
You're using "hip and cool" and "Fortran" in the same sentence?
Re: (Score:2)
That's etymology, not definition. There's a difference. Is the English language awful or awesome?
Won't need too (Score:2)
Come 90 days when 30% of all computers [neowin.net] gets death by 1,000 fire ants with exploits all at once.
Especially since MSE wont wont save these users either [neowin.net].
Popcorn time, or an oh shit time if the internet potentially goes offline due to 260,000,000 infected bots.
Re: (Score:2)
Re: (Score:1)
... 1,000 script kiddies with XP 0 day exploits
Re: (Score:2)
Script kiddies run it, but a hacker created it.
Re: (Score:1)
A cracker is a hacker who specializes in security.
Years Away? I call Shenanigans (Score:5, Insightful)
Let's face it, these professional exploit writers are not "years away" from their next great product. They don't stand idly by thinking they are winning. They continue to develop and hone their craft.
These new 'crypto locker' products are problematic and are going to wreak a lot of havoc on people. And while we security folks are battling the latest lock schlock the exploiteers are just waiting for us to get a handle on things so they can throw us the next curveball.
And let's not forget that the end of support for XP is coming in April. Whatever they have been holding back for XP's independence will show up soon after Microsoft finally sets XP adrift on an ice raft.
Re:Years Away? I call Shenanigans (Score:5, Insightful)
Re:Years Away? I call Shenanigans (Score:5, Insightful)
It certainly won't get Grandma to update her Windows XP box. "You mean the emails and internets machine? I don't do anything with that."
A million zombies strong - and growing.
Re: (Score:1)
A million zombies strong - and growing.
Yes, and we should shame Grandma because she can't afford to plop down several grand on a Windows 8 license, new computer, and internet connection on her fixed income which barely pays for her medications and food. That seems legit.
Hey, asshole -- here's the reality: Most of those "zombie" machines aren't because Grandma is being a bitch, but because Microsoft and other vendors are. It's called forced obsolescence. I can still drive a Model T on the highway; the infrastructure hasn't changed. Computers can
Re: (Score:2, Insightful)
Yes, and we should shame Grandma because she can't afford to plop down several grand on a Windows 8 license, new computer, and internet connection on her fixed income which barely pays for her medications and food. That seems legit.
Ah, it is good to see that you are back with your outlandish statements and disproportionate replies to innocuous statements.
Re: (Score:2)
Heck, what if it is Apple land? You can get a good Mac for a lot less than "several grand", although you can indeed spend that much if you like. (Besides, if she's doing Internet and email only, try her on Linux Mint. It's going to be easier to adapt to than Windows 8.1.)
Re: (Score:2)
I can still drive a Model T on the highway;
If it's a "classic car" they let you just ignore all the safety standards? And would it run on unleaded?
Re: (Score:2)
I asked out of curiosity, man. Geez.
Re: (Score:2)
I can still drive a Model T on the highway;
If it's a "classic car" they let you just ignore all the safety standards?
Yes, actually. If the original vehicle didn't have air bags, seat belts, turn signals, etc., you're not required to have them. I think if you could find a vehicle that were made without headlamps it would be illegal to drive it at night, and if it couldn't manage the minimum speed you couldn't drive it on the freeway, but mostly you can just ignore all the safety standards implemented after the vehicle was made.
And would it run on unleaded?
They'll all run on unleaded, but there can be problems, mostly with overheated valves that fuse a
Re: (Score:2)
I wasn't blaming Grandma. I'm simply pointing out reality: a lot of boxes are never going to be updated by their owners because they don't see the need. Asking them to see the need will get you nowhere, too.
I'm with you: it's not her fault. But somehow we have to deal with this. And Microsoft is walking away from the problem they caused.
Re: (Score:2)
MS should put a pop up mentioning EOL for several weeks for home users.
Grandma doesn't go to slashdot.org and how should she know?
Re: (Score:2)
Yeah I am sure Ford would be happy to give you free model T parts that wear out for life FOREVER!
My Android got EOL just 2 years after I bought it for $700 (the same cost as Grandma's computer). Don't tell me MS is the all sooo horrible and mean bad guy because after a mere 13 years people will have to stop relying on free updates for an OS that was made for dialup and AOL where security meant blocking a port with a good password and nothing more.
Sure your employer (a very cheap financial institution) may n
Re:Years Away? I call Shenanigans (Score:4, Insightful)
Let's face it, these professional exploit writers are not "years away" from their next great product.
And also don't forget - a *truly* great exploit kit is completely unknown to security researchers and the press. Once it's existence is known, it becomes much less useful.
Re: (Score:2)
Let's face it, these professional exploit writers are not "years away" from their next great product.
And also don't forget - a *truly* great exploit kit is completely unknown to security researchers and the press. Once it's existence is known, it becomes much less useful.
I don't think that follows. Access by security researchers to the latest version of the kit, so they can analyze it and include countermeasures in the operating systems it attacks, that makes it much less useful. But mere knowledge of its existence doesn't damage its utility, and may enhance its saleability.
Re:Years Away? I call Shenanigans (Score:5, Informative)
If you bothered to read the article, you'd note that in the first two paragraphs they mention that they are arguing not that there won't be any replacements available for a few years, but that it will take a few years for one of the many alternatives to rise to dominance.
Re: (Score:1)
Well, "dominance" is not all it's cracked up to be. With several different complex exploit kits out there the security industry will have to focus on all of them at once which serves to "divide and conquer" those trying to stop the spread of these malicious offenders.
Many battles on many fronts is not good for the white hats.
Re: (Score:1)
What needs to be done is not to focus on the rootkit exploits, but to focus on the security holes. Lock those down, and it doesn't matter what the bad guys do, exploit-wise.
In my experience, what serves up malware the most are ad sites. Slapping on AdBlock and NoScript does far more (in my experience) for security than any AV utility (except Malwarebytes because it actually blocks by IP address) has ever done. The people who run the ad servers seem to not give a shit about security, and it affects everyo
Re: (Score:2)
Re:Years Away? I call Shenanigans (Score:5, Interesting)
IMHO, what we have seen in the CryptoLocker game is just the beginning. We have close to a perfect storm here -- Bitcoin being a currency that is easy to use no matter where one is, provided Internet access is obtainable [1]. For the most part, security is a joke because people/businesses either don't care, view it as having no ROI, or just view it will happen to "the other guy." Unlike incoming Internet connections which will get stopped by at the minimum, a perimeter firewall, the untrusted code on an external web page makes it well into the depths of a company. Most companies might have something to block the nudie pics, or use a device to force all SSL transactions to go through a transparent listening/MITM proxy (BlueCoat for example), but usually that is the extent of how far they go. Blocking suspect malware IP addresses tends to be rare unless a company is on top of their game.
With this in mind, it might take a single browser or add-on weakness for an organization to get malware deployed. Since most Web browsers run as the user, it means the malware usually ends up with a full unlimited user context. Barring Web based malware, there is always the good old fashioned "foo.pdf .exe" Trojan.
CryptoLocker is just version 2.0 (v1.0 being the early ransomware with an easily factored key being the same, or a flimsy encryption algorithm.)
I can see RansomWare 3.0, if it manages to get root/Administrator authority, installing a low level driver. It will encrypt files, and backup programs will back up the encrypted stuff (a la Microsoft's EFS), but the user won't know because the driver will allow reading/writing for a period of time. Then, after a cutoff date, the private key is wiped, and the driver is dropped from the system. This not just encrypts the files that are accessible, but it also ensures that recent backups will be completely and utterly useless for restores. The private key can also just never be stored on disk, and quietly fetched from the malware owner's website every time the machine reboots.
To boot, the software will detect where the software is installed and base the ransom of where it is located. If a police station, the demand to release all prisoners in the county jail can be made. A government office means that the criminals can demand someone be fired. At the extreme, if the files locked up are valuable enough, the organization can demand an execution of someone they don't like.
Now the question -- how can we prevent this. Well, it costs money. Someone can invent software that can check backups and detect files that were encrypted, but in reality, it means RansomWare 3.1 will just encrypt the file in a valid .doc, .xls, or other format. It will take keeping a round of backups for a long time. It will take better heuristics so an AV utility [2] can detect some process fiddling over time with files and stop it. It might even require machines be rebooted from offline media and scanned in that condition, and instead of a scan looking for anything out of the ordinary, the reverse happening -- a scan looking for anything that isn't a signed binary or valid Registry entry in order to find rootkits (assuming ones that just don't exist in RAM.) It might even require a new computer architecture with a hypervisor that can suspend the entire machine, then scan the RAM image and the disk every so often.
[1]: BitCoin isn't anonymous, but there are a growing number of "wallet mixing"/laundering services popping up. I'm sure a lot of them likely will just make off with any coins they get (a "100% commission"), but even if a fraction if the haul gets handed to the person coming up to the table, it can still be a good haul for the person trying to launder.
[2]: AV utilities tend to be a joke, but we can hope they might do the job.
Re: (Score:2)
You have a creative mind, but this has already been solved by non-persistent disks.
Re: (Score:2)
You have a creative mind, but this has already been solved by non-persistent disks.
If your files and backups have been transparently encrypted for 6 months to a year that will not help you one bit. The key was on a malware server, and only copied to ram so your backup has no copy of the key. Your backups and off line disks newer than a year (or as long as the ransom folks care to wait) are all encrypted.
installing a low level driver. It will encrypt files, and backup programs will back up the encrypted stuff (a la Microsoft's EFS), but the user won't know because the driver will allow reading/writing for a period of time.
In the enterprise, incremental datastore backups as with PHDvirtual would save pre-infection data as long as your backup retention is long enough but the damage would still be severe. Usin
Re: (Score:2)
You are still way off base. Changes made to a VM with a non-persistent disk are not written to the disk itself. They are written to a temp file and then discarded when the VM is powered off.
The ransomware that you describe cannot persist across reboots. It can encrypt the the hell out of the entire VM, and there will be a large encrypted temp file created, but that file will be dumped as soon as the VM reboots.
http://virtualization-tips.blogspot.com/2013/01/persistent-and-non-persistent.html [blogspot.com]
Re: (Score:2)
It strikes me that the solution is virtual disposable machines. Most advanced malware won't run on a virtual machine in order to make reverse engineering difficult, and the data can be continously verified from the outside, and data is stored on devices using a separate OS. If a file with a well-known extension suddenly appears encrypted then you know something's afoot and catch things right away.
Really? (Score:1)
One person? All the crime?
Sweet Memories (Score:2, Interesting)
When I was young and naive, and my worst worry was the Back Orifice from The Cult of the Dead Cow. :-)
Re:Sweet Memories (Score:4, Funny)
I once ran a back orifice honeypot (fakebo) :) It was fun. The 'hackers' who took the bait would spend hours poking around in a virtual back orifice server. Some of them figured out it was a honeypot and left little messages for me ranging from "YOU BASTARD YOU MADE ME WASTE 2 HOURS OF MY LIFE!" to "Wow I finally figured out that this was a honeypot, very cool!"
Re: (Score:1)
The Cult of the Dead Cow. ..... now that's a name I've not heard in ages.
Blackhole Exploit Kit Successor (Score:1)
is already underway. You just don't know it yet.
Not Hackers (Score:4, Insightful)
Re: (Score:3, Funny)
People who do this aren't hackers, they're degenerate criminals.
What exactly is a generate criminal, and how do they differ from degenerate criminals?
Re:Not Hackers (Score:4, Interesting)
What exactly is a generate criminal, and how do they differ from degenerate criminals?
Go to any parliament, or any of the Presidential/Prime Minister offices and you will find them.
But of course, they are worse than their degenerate counterparts.
Yes. But it is the regenerate criminal you should fear. Computing is almost to the point where a bot net can be host to more CPU cycles than required for sentience. One species' atrocity is another's way of life.
Re: (Score:3)
Re: (Score:2)
"They chopped off his hands and feet and rolled him into the bog."
"They pick pretty hard around here..."