The creator of a widely used cybercrime tool kit is going after more exclusive clientele by packaging expensive exploits into a pricier bundle being used to execute online extortion campaigns.
Even more disturbingly, the malware's creator has set aside $100,000 to buy zero-day exploits from third-party hackers, putting him in the league of government intelligence agencies who also buy exploits.
The new, more expensive hacking bundle, known as the Cool exploit kit, came to researchers' attention in October as the culprit in a number of ransomware attacks, security writer Brian Krebs reported on his blog.
Exploit kits are bundles of malware, usually embedded in a corrupted Web page, that attack visiting browsers with multiple exploits until one penetrates the visiting computer's defenses.
Patterns of updates
In order to infect its victims, Cool takes advantage of a critical vulnerability in Windows that was also exploited in late 2011 by the Duqu worm, military-grade malware thought to have ties to the infamous Stuxnet worm.
Kafeine, the French security researcher who discovered the Duqu link, is also responsible for linking Cool to the more ubiquitous Blackhole exploit kit.
As he observed the evolution of both exploit kits, Kafeine saw that after Cool got the Duqu update, Blackhole followed a week later. That, plus a similar event in November, led Kafeine to the conclusion that the same author or authors were behind both.
"As soon as it is publicly known [that Cool Exploit Kit] is using a new exploit, that exploit shows up in Blackhole," Kafeine told Krebs.
Stepping up the game
Krebs said he contacted the malware writer "Paunch," who is responsible for Blackhole. Paunch confirmed that he was also responsible for Cool.
Paunch and his crew license Blackhole to online criminals for $700 to $1,500 per month, but said Cool commanded a staggering $10,000 for a single month's use.
This past fall, Krebs said, an associate of Paunch's posted a message to a semi-private forum advising hackers that the gang now had a $100,000 budget to buy "new browser and browser plug-in vulnerabilities" that had not yet been made public.
"Not only do we buy exploits and vulnerabilities, but also improvements to existing public exploits, and also any good solutions for improving the rate of exploitation," a professional translation from the original Russian read.
In spite of its soaring sticker price, at least two different crime organizations are using Cool. One uses it to spread Reveton ransomware that reportedly earns its members as much as $30,000 each day.
With a return like that, paying $10,000 for a month's license doesn't seem like a bad investment.
Users can protect their computers from most browser exploit kits, even those containing zero-day exploits, by using up-to-date anti-virus software, keeping all other software fully patched, turning on their firewalls, accessing the Internet only from limited user accounts that can't install software — and, for the time being, not using Internet Explorer 6 through 8.
Victims of ransomware attacks should not pay their attackers. Instead, they should contact law enforcement as quickly as possible.