Evidence is mounting that the head salesperson and self-styled author of the Internet’s hugely successful Blackhole Exploit Kit, ‘Paunch’, has been arrested by Russian police.
So far the evidence is circumstantial [see update below], such as the complete disappearance of the Russian-hosted crypt.am service used to encrypt its distribution and the fact that a particular malicious Java applet associated with its workings has not been updated for four days.
As researchers have noted, this is usually updated once or twice a day so the lull is unusual.
“This may very well be the last update we see, unless somebody picks up the torch,” said Jerome Segura of US antivirus firm, Malwarebytes in a blog post.
In the absence of hard facts, rumour has filled the vacuum, with security researchers ‘Kafeine’ and Maarten Boone of Dutch security firm Fox-IT reporting Paunch’s arrest in tweets that caught the attention.
However, Kaspersky Lab’s chief security expert Aleks Gostev tweeted his support for the arrest thesis. “Some of my sources just confirmed arrest of #BlackHole author. Sorry, no more details yet,” he said.
Criminals appeared to known something was afoot with the Reveton malware moving its distribution from the Cool Exploit Kit (also said to be the work of Paunch) to the more recent and rival Whitehole Exploit Kit.
If the Blackhole Exploit Kit is offline for now, as the market leader in the space the short-term effects could be significant.
“This would be a major event in the exploit kit business, one that could trigger a chain reaction leading to more arrests and disruption. We can’t wait to hear the official news as well as if other gangs have been caught,” suggested Segura.
“In all likelihood, we are going to see cyber-crooks migrate their infrastructure towards other exploit kits very soon.”
Blackhole first appeared in version 1.0.0 in August 2010 - version 2.0 appeared to some fanfare a year ago - since when it has established itself as an entire crimeware platform, undoubtedly the most complete created up to that point. Its popularity is down to its ability to automate and industrialise complex procedures, including the use of software exploits in attacks.
Probably its biggest innovation has simply been its business model based on leasing rather than sale. Significant volumes of today’s malware attacks depend on it, which makes it disappearance extremely important if it is confirmed.
Update: A source at Europol confirmed the arrest to TechWeekEurope without giving further details.