New exploit kit may be "cooler" than BlackHole

Share this article:

Researchers believe a new exploit kit on the market is a pricier version of BlackHole, packaged with enough zero-day threats and other features to take the top spot from its predecessor.

The “Cool" exploit kit, thought to be created by the same group behind BlackHole, which is led by a Russian hacker with the online alias “Paunch,” first appeared on the underground market in October.

On Monday, security journalist Brian Krebs confirmed that Paunch acknowledged responsibility for the Cool exploit kit on a semi-private cyber crime forum. Exploit kits are sold on the black market as a means of easily serving malware from compromised sites. The kits often deliver exploits for vulnerabilities, both of the publicly known and unknown variety, in widely deployed software, such as Java or Adobe.

“Our team prepared the following exclusive program of purchasing new browser and browser plug-in vulnerabilities,” read the forum message, which Krebs reposted on his blog. “Not only do we buy exploits and vulnerabilities, but also improvements to existing public exploits, and also any good solutions for improving the rate of exploitation.”

It's believed that Cool's hefty price tag – $10,000 a month, compared to the BlackHole kit's substantially lower cost of around $500 a month – covers the cyber crime group's $100,000 investment in zero-days for clients. 

“We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public (not counting the situations, when a vulnerability is made public not because of us),” said the forum post.

In a Thursday interview with SCMagazine.com, Jeff Doty, web security data analyst for Blue Coat, a Sunnyvale, Calif.-based web security company, said that in the last few years, other exploit kits have tried to replace BlackHole's influence in the market, but none have grown at the pace as the Cool exploit kit.

“In the last couple of years, there have been a lot of exploit kits, but we block the IP addresses and we usually don't see too much from them after that,” Doty said. “They don't grow as much as this Cool exploit kit. They also don't seem to be coded as well.”

Blue Coat researchers discovered that during last month alone, 204 new servers were hosting compromised web pages that delivered the Cool exploit kit to visitors. In the same month, Blue Coat detected only 32 new servers hosting malicious pages serving up BlackHole.  

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.