Meet Paunch: the Accused Author of the BlackHole Exploit Kit

tsu doh nimh writes "In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as 'Paunch,' the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today. According to pictures of the guy published by Brian Krebs, if the Russian authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000 a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits. As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story: 'The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.'"

his only fault

[gl4ss]

his only fault was that he didn't incorporate in France and didn't have NSA as a client.

see, if you have offices and suits and your customers wear suits then the business is legit.

CHIPs?

[rotorbudd]

You mean Eric Estrada was a malware kingpin?
I don't believe it!

Re:

[Anonymous Coward]

You mean Eric Estrada was a malware kingpin?
I don't believe it!

How is that hard to believe? His sidekick [cnn.com] was busted for stock fraud.

Re:

[93 Escort Wagon]

I can't believe Marco is a drug kingpin. Sparks, on the other hand...

I am confused.

[Anonymous Coward]

Surely the kit would be "bought" once then distributed freely. It's not as if they're going to go to the BSA and whine about copyright infringement, is it?

Although nobody said cybercriminals were clever, I suppose. To be smart is to win while playing by the rules; to win by cheating just means you lack scruples, and anyone can do that.

Re:

[platypussrex]

I'm certainly not an expert on this, but TFA says they "rent" the kit, and in a linked article it mentions administrative user panels for the people who rent the product, so it sounds as if you don't actually buy the code, but rather rent access to a system that lets you acquire and manipulate your botnet.

Re:I am confused.

[platypussrex]

it gets even better. In the linked article it explains that Paunch sells ads that appear in the control panels for all the renters, so not only does he get income from renting the system, he he also gets the income from that ads that are popping up in your system after you rent it from him!

Re:

[Lumpy]

but legit purchases come with tech support! That is what makes actually buying their software so worth it!

Re:

[module0000]

You're not buying the skeleton of the kit - you're buying the kit equipped with the latest 0-days to be effective. The last thing you'd want to do after you pay thousands for a 0-day exploit and the kit as a payload - is give it away. Then it's in the wild and antivirus is going to protect against it.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[davecb]

Methinks we may need a general mechanism for identifying nutters that's hard to spoof, so that the folks who used to spend their days flaming innocent passers-by on usenet can't just migrate here.

This is probably an instance of a byzantine fault-tolerance problem, as solved by Barbara Liskov. As a bad example, consider displaying one of those little bi-coloured pills one uses for friends and foes, with the numbers voting shown in each side. ONLY if N people vote him "id10t" and N is at least one greater

Re:

[mythosaz]

What entry do I put in my hosts file to block apk's spam?

Re:

[gmhowell]

Half the time, I wonder if that's really apk, or just a troll(s) with some apk inspired copypasta.

Re:

[gmhowell]

You have confused 'run and hide' with 'don't give a shit'.

DNS blacklist mechanism

[tepples]

A hosts file [pineight.com] is a method of blacklisting hostnames of servers with which you desire not to communicate, such as malware-infested servers and the servers that host social recommendation ("like") widgets that track you and slow down page loads.

Re:

[tepples]

You could use Wine. But I guess part of the tool's functionality is to manually cache the IP addresses hosts you access most, at the top of the file, so that the operating system's resolver doesn't have to do so much work.

Re:

[Anonymous Coward]

Crime arises when "legit" jobs are not as easy to get as simplistic optimism might suggest. While it's a frequent perception that it's dead easy for any little group of computer-savvy hard workers to spin up a few million dollars in business out of their garage, the truth is disguised by a lot of selection bias --- you hear the success stories, but rarely hear about all the folks who lost their garage (and home) in the process, and are now making $13/hr at a tech support desk. My guess is that the actual on

Re:

[DarkOx]

I think your ignoring how some of these people get into this criminal line of work. Suppose you had been doing honest work as developer, or maybe even something like a pen tester. Suppose one day you discover a really reliable vulnerability you can exploit in some really really widely used software, maybe the SMB service on Windows or something. It works just about everywhere and gets privileged access.

Now you got choices:

Tell the vendor - who may be happy to hear from you so they can quickly and quietly

Re:

[rtb61]

The big problem with selling zero day exploits is, they are only effective if they remain secret and of course the seller of the exploit is a threat to the secrecy of that exploit. Already sold it once, what stops them from selling again and again and again. So when it comes to buying those exploits organised crime is likely to consider it worthwhile to ensure the silence of the seller and save themselves some money instead. When it comes to buying exploits the more likely source is leaks in intelligence s

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ruir]

You could run for politician.

Fat jokes?

[Anonymous Coward]

if the Russian authorities are correct then his nickname is quite appropriate

He's probably a bad guy, so let's make fat jokes about his photo in the summary. There's absolutely no chance we're humiliating someone innocent, right?

Small Fry

[VortexCortex]

I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years.

I would disagree and cite NSA's PRISM and FOXACID as a far more important driving force. [theatlantic.com] Even if you disagree about the classification of their action as criminal violations of the US Constitution, consider that they purchase a large volume of zero-day exploits to fuel their "cyber" weapons. This makes selling zero-day exploits on the black market very profitable even if you ended all civilian perpetrated "cyber" assaults.

And when you hack a man, you're a criminal,
Hack many, and you're a terrorist,
Hack 'em all, you're a Government!

My apologizes to Megadeth. [wikiquote.org]

Hmm...

[sabbede]

How do we make the punishment fit the crime?

Though I guess a Russian prison is a pretty severe punishment as-is.