Sunday, December 08, 2013

Paunch and the BlackHole/Cool Exploit Kit

After months of speculation, the creator of the Blackhole exploit kit can be demonstrated to be in custody. As usual with all things Russian in the Cybercrime world, Brian Krebs broke the story in the US with Meet Paunch the Accused Author of the Blackhole Exploit Kit, which provided photos of a character believed to be Paunch. These photos in turn were posted by the leading cyber investigations firm in Russia, Group-IB, who participated in the investigations with the Russian police, culminating in his arrest in the city of Togliatti on October 4, 2013.


(Image from Group-IB)

The MVD link, provided by Brian and Google Translated here, shows that a group of 13 criminals were all arrested for violation of Russia's criminal code Article 1.2.210 "the creation of and participation in a criminal organization to jointly commit one or more serious crimes". In other words, Paunch and friends have been charged with the Russian version of the RICO Act! We've just recently seen the same TYPE of law used in the US in the case of David Camez, who was charged with racketeering and conspiracy charges for his role in the crimes at Carder.su (he is one of 55 defendants in the case, and the first to go to trial...) More on Carder.su's David Camez's RICO case here.

The speculations that something may have been up with Paunch began back in October. The best early coverage we had was from Charlie Osborne, who posted over on ZDNet Blackhole malware toolkit creator Paunch suspect arrested, based off the single tip that every other source we had was also referring to -- a statement from Maarten Boone over at Fox-IT in the Netherlands.

At the time of the article in ZDNet, October 9th, Charlie quoted AVG as saying that "the Blackhole Exploit Kit is currently ranked 24th in the world of online malware, affecting 36,199 websites in 218 countries." The same link provided in that article now shows that BEH is ranked 161st, falling from position 132 on the list last week. To check the current status, use this link to AVG's AVG Info on Blackhole Exploit Kit.

Paunch posted updates about his malicious code as recently as September 2013, on Exploit.in (sorry, login required!) As usual, the authors shamelessly listed their contact information, which of course lead to their downfall:

Our contacts:
Author and a support в 1 лице (time normalized):
JID: paunch@jabber.no
JID: paunch@thesecure.biz
JID: paunch@neko.im
ICQ: 343002

A support (time from 9 to 19 on weekdays)
JID: blackhole2@jabber.ru
ICQ: 530082 
The pricing at this time was given as:

happy to announce that prices have remained the same:
Rent on our server:
-Day rental - $ 50 (limit traffic 50k hits)
-Week rent - $ 200 (limit traffic 70k hits a day)
-Month lease - $ 500 (limit traffic 70k hits a day) if need traffic limit can be increased for an additional fee

License on your server:
-License for 3 months $ 700
License-half year $ 1,000
-Year license for $ 1500
multi-domain version of the bunch - $ 200 one-time fee for the entire term of the license (not binding on the domain and on the ip)
change of the domain on the standard version of the bunch - $ 20
change ip on multidomain version bundles - $ 50
single cleaning - $ 50
Autoclean a month - $ 300
Kafeine has the original post on his excellent malware analysis blog Malware don't need Coffee.

The new version offered many options, including statistics about Windows 8 and Mobile Device infection, an option to have "less obvious" URLs for your Blackhole Exploit address, and the ability to automatically regenerate your .exe files in ways that would not be detected by AV engines. (This feature is the "Autoclean" offered for $300 per month.)

Many security features of the "auto-ban" variety were included to prevent the malware from functioning for "Reversers". These included:

11. Completely updated section "Security" on it can shine even a sub category:
a) an opportunity to block traffic without referrer (we recommend always keep it turned on)
b) the opportunity to ban unnecessary referrers
c) an opportunity to ban all referrers except your own
d) an opportunity to ban bots on the basis of a pre-arranged IP address list
d) an opportunity to ban TOR network Types which are dynamically updated as the practice most reverser work from there (we recommend always keep it turned on)
e) there was a recording mode, let you stop and wait for traffic traffic from where you do not, put the record mode, and all reversers and bots that go on your link after stopping cores go straight to the ban list)
12. Since section 11 we had a lot of opportunities for Bans, selecting at least one embodiment of the ban appears in the menu "Ban Statistics", in which you can see the number of blocked traffic, and the reason for blocking 
I can tell you that those banning practices were creating quite a bit of chaos on "Reversers"! Fortunately, my lead malware analyst at Malcovery Security had found a fairly reliable (if time-consuming) way to defeat Paunch. To show the ease of identifying his previous URL pattern, look at this list of reports Malcovery generated in the past six months where BlackHole was found just using the URL path of a "/forum/viewtopic.php" URL!


(Right-Click, "View Image" for larger version)

Much, much more data is available in the several-times daily "Malcovery T3 Reports" and additional analysis is available for interested parties. This data is ONLY showing the "/forum/viewtopic.php" aspects of this malware.

In the first column, the date of the spam campaign and the "imitated brand" is listed

2013-05-13ADP hxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-13ADP hxxp://mail.yaklasim.com:8080 /forum/viewtopic.php
2013-05-13ADP hxxp://vulcantire.net /forum/viewtopic.php
2013-05-13ADP hxxp://westautorepair.com /forum/viewtopic.php
2013-05-13AmericanExpresshxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-13AmericanExpresshxxp://mail.yaklasim.com:8080 /forum/viewtopic.php
2013-05-13AmericanExpresshxxp://vulcantire.net /forum/viewtopic.php
2013-05-13AmericanExpresshxxp://westautorepair.com /forum/viewtopic.php
2013-05-13Citibank hxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-13Citibank hxxp://mail.yaklasim.com:8080 /forum/viewtopic.php
2013-05-13Citibank hxxp://vulcantire.net /forum/viewtopic.php
2013-05-13Citibank hxxp://westautorepair.com /forum/viewtopic.php
2013-05-21eFaxhxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-21eFaxhxxp://debthelpsmart.org /forum/viewtopic.php
2013-05-21eFaxhxxp://debtsmartretirement.com /forum/viewtopic.php
2013-05-21eFaxhxxp://mail.yaklasim.com:8080 /forum/viewtopic.php
2013-05-24ADP hxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-24ADP hxxp://monteazul.clicken1.com:81 /forum/viewtopic.php
2013-05-24ADP hxxp://panama.clicken1.com:81 /forum/viewtopic.php
2013-05-24ADP hxxp://talentos.clicken1.com:81 /forum/viewtopic.php
2013-05-29WesternUnion hxxp://199.168.184.198:81 /forum/viewtopic.php
2013-05-29WesternUnion hxxp://monteazul.clicken1.com:81 /forum/viewtopic.php
2013-05-29WesternUnion hxxp://panama.clicken1.com:81 /forum/viewtopic.php
2013-05-29WesternUnion hxxp://talentos.clicken1.com:81 /forum/viewtopic.php
2013-05-24Chasehxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-24Chasehxxp://monteazul.clicken1.com:81 /forum/viewtopic.php
2013-05-24Chasehxxp://panama.clicken1.com:81 /forum/viewtopic.php
2013-05-24Chasehxxp://talentos.clicken1.com:81 /forum/viewtopic.php
2013-06-05WesternUnion hxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-06-05WesternUnion hxxp://199.168.184.198:81 /forum/viewtopic.php
2013-06-05WesternUnion hxxp://verybestblueberry.com /forum/viewtopic.php
2013-06-05WesternUnion hxxp://wildmaineblues.com /forum/viewtopic.php
2013-07-08Citihxxp://2ndtimearoundweddingphotography.com /forum/viewtopic.php
2013-07-08Citihxxp://bobkahnvideo.com /forum/viewtopic.php
2013-07-08Citihxxp://gfpmenusonline.com /forum/viewtopic.php
2013-07-08Citihxxp://gfponlineordering.com /forum/viewtopic.php
2013-07-10eFaxhxxp://gfpshoppingcarts.net /forum/viewtopic.php
2013-07-10eFaxhxxp://greatstockfoodimages.com /forum/viewtopic.php
2013-07-10eFaxhxxp://imhungrynow.com /forum/viewtopic.php
2013-07-10eFaxhxxp://one2onebiznet.com /forum/viewtopic.php
2013-07-12UPShxxp://buzztag.com /forum/viewtopic.php
2013-07-12UPShxxp://customkids.com /forum/viewtopic.php
2013-07-12UPShxxp://webersmokeymountaincookerreview.com /forum/viewtopic.php
2013-07-12UPShxxp://wiiunlockplusreview.com /forum/viewtopic.php
2013-07-25CNNhxxp://198.57.130.35:8080 /forum/viewtopic.php
2013-07-25CNNhxxp://alsultantravel.com:8080 /forum/viewtopic.php
2013-07-25CNNhxxp://webmail.alsultantravel.com:8080 /forum/viewtopic.php
2013-07-25CNNhxxp://webmail.alsultantravel.info:8080 /forum/viewtopic.php
2013-07-25Facebookhxxp://198.57.130.35:8080 /forum/viewtopic.php
2013-07-25Facebookhxxp://alsultantravel.com:8080 /forum/viewtopic.php
2013-07-25Facebookhxxp://webmail.alsultantravel.com:8080 /forum/viewtopic.php
2013-07-25Facebookhxxp://webmail.alsultantravel.info:8080 /forum/viewtopic.php
2013-08-02Moneygramh00p://50.57.185.72:8080 /forum/viewtopic.php
2013-08-02Moneygramh00p://arki.com:8080 /forum/viewtopic.php
2013-08-02Moneygramh00p://northernforestcanoetrail.com /forum/viewtopic.php
2013-08-02Moneygramh00p://www.arki.com:8080 /forum/viewtopic.php
2013-08-14BankofAmericahxxp://gutterglovegutterprotection.com /forum/viewtopic.php
2013-08-14BankofAmericahxxp://gutterguardbuyersguide.com /forum/viewtopic.php
2013-08-14BankofAmericahxxp://gutterhelmetleafguardgutterprotection.com /forum/viewtopic.php
2013-08-14BankofAmericahxxp://gutterprosmaryland.com /forum/viewtopic.php
2013-08-14WellsFargohxxp://gutterglovegutterprotection.com /forum/viewtopic.php
2013-08-14WellsFargohxxp://gutterguardbuyersguide.com /forum/viewtopic.php
2013-08-14WellsFargohxxp://gutterhelmetleafguardgutterprotection.com /forum/viewtopic.php
2013-08-14WellsFargohxxp://gutterprosmaryland.com /forum/viewtopic.php
2013-08-15FAXhxxp://1800callabe.com /forum/viewtopic.php
2013-08-15FAXhxxp://1866callabe.com /forum/viewtopic.php
2013-08-15FAXhxxp://abemoussa.com /forum/viewtopic.php
2013-08-15FAXhxxp://abemuggs.com /forum/viewtopic.php
2013-08-16ADPhxxp://hubbywifeco.com /forum/viewtopic.php
2013-08-16ADPhxxp://hubbywifedesigns.com /forum/viewtopic.php
2013-08-16ADPhxxp://hubbywifedesserts.com /forum/viewtopic.php
2013-08-16ADPhxxp://hubbywifefoods.com /forum/viewtopic.php
2013-08-16WellsFargohxxp://hubbywifeco.com /forum/viewtopic.php
2013-08-16WellsFargohxxp://hubbywifedesigns.com /forum/viewtopic.php
2013-08-16WellsFargohxxp://hubbywifedesserts.com /forum/viewtopic.php
2013-08-16WellsFargohxxp://hubbywifefoods.com /forum/viewtopic.php
2013-08-19ADPhxxp://hubbywifewines.com /forum/viewtopic.php
2013-08-19ADPhxxp://ipodwalla.com /forum/viewtopic.php
2013-08-19ADPhxxp://jerseycitybags.com /forum/viewtopic.php
2013-08-19ADPhxxp://jerseyluggage.com /forum/viewtopic.php
2013-08-19Facebookhxxp://frankcremascocabinets.com /forum/viewtopic.php
2013-08-19Facebookhxxp://giuseppepiruzza.com /forum/viewtopic.php
2013-08-19Facebookhxxp://gordonpoint.biz /forum/viewtopic.php
2013-08-19Facebookhxxp://gordonpoint.info /forum/viewtopic.php
2013-08-20UKLandRegistryhxxp://giuseppepiruzza.com /forum/viewtopic.php
2013-08-20UKLandRegistryhxxp://gordonpoint.biz /forum/viewtopic.php
2013-08-20UKLandRegistryhxxp://gordonpoint.info /forum/viewtopic.php
2013-08-20UKLandRegistryhxxp://gordonpoint.org /forum/viewtopic.php
2013-08-26UPShxxp://gordonpoint.org /forum/viewtopic.php
2013-08-26UPShxxp://hitechcreature.com /forum/viewtopic.php
2013-08-26UPShxxp://industryseeds.ca /forum/viewtopic.php
2013-08-26UPShxxp://infocreature.com /forum/viewtopic.php
2013-09-06CitizensBank-KeyBankhxxp://luggagepoint.de /forum/viewtopic.php
2013-09-06CitizensBank-KeyBankhxxp://luggagepreview.com /forum/viewtopic.php
2013-09-06CitizensBank-KeyBankhxxp://luggagewalla.com /forum/viewtopic.php
2013-09-06CitizensBank-KeyBankhxxp://luxluggage.com /forum/viewtopic.php
2013-09-09FedExhxxp://luxurybrandswalla.com /forum/viewtopic.php
2013-09-09FedExhxxp://mickmicheyl.biz /forum/viewtopic.php
2013-09-09FedExhxxp://mickmicheyl.ca /forum/viewtopic.php
2013-09-09FedExhxxp://mickmicheyl.com /forum/viewtopic.php
2013-09-10FedExhxxp://actorbell.com /forum/viewtopic.php
2013-09-10FedExhxxp://facebookfansincrease.com /forum/viewtopic.php
2013-09-10FedExhxxp://fillmaka.com /forum/viewtopic.php
2013-09-10FedExhxxp://fillmmaka.com /forum/viewtopic.php
2013-09-11FedExhxxp://actorbell.com /forum/viewtopic.php
2013-09-11FedExhxxp://facebookfansincrease.com /forum/viewtopic.php
2013-09-11FedExhxxp://fillmaka.com /forum/viewtopic.php
2013-09-11FedExhxxp://fillmmaka.com /forum/viewtopic.php
2013-09-11FedExhxxp://filmaka.biz /forum/viewtopic.php
2013-09-11FedExhxxp://filmaka.co.uk /forum/viewtopic.php
2013-09-12FedExhxxp://fillmmaka.com /forum/viewtopic.php
2013-09-12FedExhxxp://filmaka.biz /forum/viewtopic.php
2013-09-12FedExhxxp://filmaka.co.uk /forum/viewtopic.php
2013-09-12FedExhxxp://filmaka.info /forum/viewtopic.php
2013-09-13FedExhxxp://filmaka.org /forum/viewtopic.php
2013-09-13FedExhxxp://filmaka.us /forum/viewtopic.php
2013-09-13FedExhxxp://filmmaka.com /forum/viewtopic.php
2013-09-13FedExhxxp://filmpunjab.com /forum/viewtopic.php
2013-09-16FedExhxxp://rockims.com /forum/viewtopic.php
2013-09-16FedExhxxp://swingingwiththefinkelsthemovie.com /forum/viewtopic.php
2013-09-16FedExhxxp://taxipunjab.com /forum/viewtopic.php
2013-09-16FedExhxxp://taxisamritsar.com /forum/viewtopic.php
2013-09-17FedExhxxp://defeat-autism.com /forum/viewtopic.php
2013-09-17FedExhxxp://defeat-autism.org /forum/viewtopic.php
2013-09-17FedExhxxp://saltlakecityutahcommercialrealestate.com /forum/viewtopic.php
2013-09-17FedExhxxp://utahbankownedhomesonline.info /forum/viewtopic.php
2013-09-17FedExhxxp://utahonlinerealestate.com /forum/viewtopic.php
2013-09-18FedExhxxp://defeat-autism.com /forum/viewtopic.php
2013-09-18FedExhxxp://defeat-autism.org /forum/viewtopic.php
2013-09-18FedExhxxp://glgkorea.com /forum/viewtopic.php
2013-09-18FedExhxxp://jadecreditdesign.com /forum/viewtopic.php
2013-09-19FedExhxxp://louievozza.com /forum/viewtopic.php
2013-09-19FedExhxxp://louvozza.com /forum/viewtopic.php
2013-09-19FedExhxxp://lvconcordecontracting.com /forum/viewtopic.php
2013-09-19FedExhxxp://lv-contracting.com /forum/viewtopic.php
2013-09-20FedExhxxp://lvconcordecontracting.com /forum/viewtopic.php
2013-09-20FedExhxxp://mcbelectrical.ca /forum/viewtopic.php
2013-09-20FedExhxxp://oliviagurun.com /forum/viewtopic.php
2013-09-20FedExhxxp://onecable.ca /forum/viewtopic.php
2013-09-23FedExhxxp://dsostermanlaw.com /forum/viewtopic.php
2013-09-23FedExhxxp://nefcapital.com /forum/viewtopic.php
2013-09-23FedExhxxp://simpacswings.com /forum/viewtopic.php
2013-09-23FedExhxxp://wetalkbb.net /forum/viewtopic.php
2013-09-24FedExhxxp://acedataintelligence.com /forum/viewtopic.php
2013-09-24FedExhxxp://acedataintelligence.net /forum/viewtopic.php
2013-09-24FedExhxxp://dsostermanlaw.com /forum/viewtopic.php
2013-09-24FedExhxxp://nefcapital.com /forum/viewtopic.php
2013-09-27Facebookhxxp://directgrid.org /forum/viewtopic.php
2013-09-27Facebookhxxp://directgrid.us /forum/viewtopic.php
2013-09-27Facebookhxxp://integra-inspection.ca /forum/viewtopic.php
2013-09-27Facebookhxxp://watttrack.com /forum/viewtopic.php
2013-09-27LinkedInhxxp://directgrid.org /forum/viewtopic.php
2013-09-27LinkedInhxxp://directgrid.us /forum/viewtopic.php
2013-09-27LinkedInhxxp://integra-inspection.ca /forum/viewtopic.php
2013-09-27LinkedInhxxp://watttrack.com /forum/viewtopic.php
2013-10-01FedExhxxp://smartstartfinancial.com /forum/viewtopic.php
2013-10-01FedExhxxp://thewalletslip.com /forum/viewtopic.php
2013-10-01FedExhxxp://tootle.us /forum/viewtopic.php
2013-10-01FedExhxxp://tungstenrents.com /forum/viewtopic.php
2013-10-09WellsFargohxxp://integrainspection.co /forum/viewtopic.php
2013-10-09WellsFargohxxp://integrainspection.info /forum/viewtopic.php
2013-10-09WellsFargohxxp://integrainspection.net /forum/viewtopic.php
2013-10-09WellsFargohxxp://integrainspection.org /forum/viewtopic.php
2013-10-10FedExhxxp://denisemoussa.com /forum/viewtopic.php
2013-10-10FedExhxxp://integrainspection.net /forum/viewtopic.php
2013-10-10FedExhxxp://integrainspection.org /forum/viewtopic.php
2013-10-10FedExhxxp://integrainspections.ca /forum/viewtopic.php
2013-10-11FedExhxxp://integrainspection.net /forum/viewtopic.php
2013-10-11FedExhxxp://integrainspection.org /forum/viewtopic.php
2013-10-11FedExhxxp://integrainspections.ca /forum/viewtopic.php
2013-10-11FedExhxxp://integrainspections.co /forum/viewtopic.php
2013-10-14WellsFargohxxp://integrainspection.org /forum/viewtopic.php
2013-10-14WellsFargohxxp://integrainspections.ca /forum/viewtopic.php
2013-10-14WellsFargohxxp://integrainspections.co /forum/viewtopic.php
2013-10-14WellsFargohxxp://stratuscomputing.com /forum/viewtopic.php
2013-10-15WellsFargohxxp://integrainspection.org /forum/viewtopic.php
2013-10-15WellsFargohxxp://integrainspections.ca /forum/viewtopic.php
2013-10-15WellsFargohxxp://integrainspections.co /forum/viewtopic.php
2013-10-15WellsFargohxxp://stratuscomputing.com /forum/viewtopic.php
2013-10-23VoiceMessagehxxp://bernaandthebern-outs.com /forum/viewtopic.php
2013-10-23VoiceMessagehxxp://sayitwithpower.com /forum/viewtopic.php
2013-10-23VoiceMessagehxxp://thewinewars.com /forum/viewtopic.php
2013-10-23VoiceMessagehxxp://www.benfrederick.com:8080 /forum/viewtopic.php