Meet Paunch: the Accused Author of the BlackHole Exploit Kit

tsu doh nimh writes "In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as 'Paunch,' the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today. According to pictures of the guy published by Brian Krebs, if the Russian authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000 a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits. As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story: 'The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.'"

his only fault

[gl4ss]

his only fault was that he didn't incorporate in France and didn't have NSA as a client.

see, if you have offices and suits and your customers wear suits then the business is legit.

CHIPs?

[rotorbudd]

You mean Eric Estrada was a malware kingpin?
I don't believe it!

Re:CHIPs?

You mean Eric Estrada was a malware kingpin?
I don't believe it!

How is that hard to believe? His sidekick was busted for stock fraud.

Re:CHIPs?

[93+Escort+Wagon]

I can't believe Marco is a drug kingpin. Sparks, on the other hand...

Re:CHIPs?

Shave ice! get your hawaiian shave ice!

Re:CHIPs?

Well I do remember sometime in the 90s when Erik Estrada was trying to hawk worthless land around the Mount Shasta area.

I am confused.

Surely the kit would be "bought" once then distributed freely. It's not as if they're going to go to the BSA and whine about copyright infringement, is it?

Although nobody said cybercriminals were clever, I suppose. To be smart is to win while playing by the rules; to win by cheating just means you lack scruples, and anyone can do that.

Re:I am confused.

[platypussrex]

I'm certainly not an expert on this, but TFA says they "rent" the kit, and in a linked article it mentions administrative user panels for the people who rent the product, so it sounds as if you don't actually buy the code, but rather rent access to a system that lets you acquire and manipulate your botnet.

Re:I am confused.

[Lumpy]

but legit purchases come with tech support! That is what makes actually buying their software so worth it!

Re:I am confused.

Sigh, I miss when organized crime meant more effort than clicking on the "Trade"... errr "DDoS" button.

Re:I am confused.

[platypussrex]

it gets even better. In the linked article it explains that Paunch sells ads that appear in the control panels for all the renters, so not only does he get income from renting the system, he he also gets the income from that ads that are popping up in your system after you rent it from him!

Re:I am confused.

[module0000]

You're not buying the skeleton of the kit - you're buying the kit equipped with the latest 0-days to be effective. The last thing you'd want to do after you pay thousands for a 0-day exploit and the kit as a payload - is give it away. Then it's in the wild and antivirus is going to protect against it.

Re:I am confused.

Or you rent access to the system that creates specific instances of malware that you would then download and distribute. I think I read somewhere about this.

He's a FOOL that's easy to "shutdown"

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Benefits vs. Zeus from -> https://zeustracker.abuse.ch/monitor.php?filter=lastupdated )

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google + crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster vs remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

(Addons = more complex + slowup browsers in message passing (use a few concurrently & see))

---

** "Less is more" = GOOD engineering!

(Vs. slowing down usermode browsers layering MORE in addons slowing 'em down more: I work w/ what you have in kernelmode, in hosts - A tightly integrated PART of the IP stack)

APK

P.S.=> "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

Re:He's a FOOL that's easy to "shutdown"

"Hosts" file? What is a "Hosts" file? Did you make that shit up? You can't think we're all gullible enough to believe that browsers and computers work that way. Someone should take your imaginary computer away.

Re:He's a FOOL that's easy to "shutdown"

[benjfowler]

APK is a well-known Slashdot nutter, and the regulars are more-or-less used to him by now.

Re:He's a FOOL that's easy to "shutdown"

How about a link to just the hosts file?
For everyone who doesn't use windows.

Thanks

Re:He's a FOOL that's easy to "shutdown"

[tepples]

You could use Wine. But I guess part of the tool's functionality is to manually cache the IP addresses hosts you access most, at the top of the file, so that the operating system's resolver doesn't have to do so much work.

Re:He's a FOOL that's easy to "shutdown"

[davecb]

Methinks we may need a general mechanism for identifying nutters that's hard to spoof, so that the folks who used to spend their days flaming innocent passers-by on usenet can't just migrate here.

This is probably an instance of a byzantine fault-tolerance problem, as solved by Barbara Liskov. As a bad example, consider displaying one of those little bi-coloured pills one uses for friends and foes, with the numbers voting shown in each side. ONLY if N people vote him "id10t" and N is at least one greater than 3 times the the people who vote him legit, mind you! Generally displaying reputation or friend/foes icons would just lead to flaming about reputations and scores.

--dave

Re:He's a FOOL that's easy to "shutdown"

[gmhowell]

Half the time, I wonder if that's really apk, or just a troll(s) with some apk inspired copypasta.

Re:He's a FOOL that's easy to "shutdown"

[mythosaz]

What entry do I put in my hosts file to block apk's spam?

Re:He's a FOOL that's easy to "shutdown"

It's funny seeing you trolls run from apk here though http://it.slashdot.org/comments.pl?sid=4531469&cid=45633071

Windows Only

Linux, BSD and OSX users are protected. Mostly because of their superior security models.

Re:Windows Only

Superior security is good, but in this case it's not why windows is affected and they aren't. BSD is the only one marginally secure.

The main reason it's not targeted is market share, low lying fruit gets picked up easier than orchard maintenance.

That's not even good money.

[Fatty+Fauntleroy]

A 'gang' of folks would indicate a number equal to or greater than three, one could assume. The group as a whole has earned $2.3mil over their course of their enterprises. They could have done significantly better had they set up a legitimate business and sold their skills for positive use on the international market. I've never understood this about criminals. So many expense a tremendous amount more effort for less gain than they would if they had a legitimate enterprise.

Re:That's not even good money.

"If only he'd used his powers for goodness, instead of badness" - Maxwell Smart (Don Adams)

Re:That's not even good money.

Crime arises when "legit" jobs are not as easy to get as simplistic optimism might suggest. While it's a frequent perception that it's dead easy for any little group of computer-savvy hard workers to spin up a few million dollars in business out of their garage, the truth is disguised by a lot of selection bias --- you hear the success stories, but rarely hear about all the folks who lost their garage (and home) in the process, and are now making $13/hr at a tech support desk. My guess is that the actual on-the-ground conditions made it much harder for J. Random Hackerguy and Co. to just start pulling in a couple million dollars for their skills; and once you've got to $50k/mo., one might be disinclined to abandon a working scheme.

Re:That's not even good money.

[DarkOx]

I think your ignoring how some of these people get into this criminal line of work. Suppose you had been doing honest work as developer, or maybe even something like a pen tester. Suppose one day you discover a really reliable vulnerability you can exploit in some really really widely used software, maybe the SMB service on Windows or something. It works just about everywhere and gets privileged access.

Now you got choices:

Tell the vendor - who may be happy to hear from you so they can quickly and quietly patch it. They may even pay you a small bounty. The may also do nothing. They could potentially even try and prosecute you. I can tell you I WOULD NEVER CHOOSE THIS OPTION, little possibility for reward lots of potential for pain.

Publish it in the legitimate white had security world -- Probably the best choice. You'll be getting your name out there which can really help you. You might even be able to make some money off it directly by talking about it at the various *cons.. The vendor or project will be forced to fix the vulnerability which is good because that actually makes everyone safe. If you publish in the proper venue at least people who care enough to follow this stuff will be able to take some mitigation steps until a proper fix is available.

Sell it -- risky sure, but might not be all that difficult these days. Could be lots quick money. Awful hard to say no to a quick $50K shot in the arm. You certainly risk jail and could lose everything, but that calculation then depends on your current situation. If you have a good job and are living comfortable with some savings you'd probably be crazy to try it. On the other hand if you're sitting there wondering how your paying the rent this month and contemplating ramen noodles for dinner again; taking your chances on something like that might be pretty appealing.

Re:That's not even good money.

[rtb61]

The big problem with selling zero day exploits is, they are only effective if they remain secret and of course the seller of the exploit is a threat to the secrecy of that exploit. Already sold it once, what stops them from selling again and again and again. So when it comes to buying those exploits organised crime is likely to consider it worthwhile to ensure the silence of the seller and save themselves some money instead. When it comes to buying exploits the more likely source is leaks in intelligence services, you know those douche bag agencies that keep security vulnerabilities secret so that they can exploit them and those leaving their own countries and citizens vulnerable (real fucking bright). If you are corrupt enough to do that, then you are most certainly corrupt enough to sell them to organised crime (a repeat source you would pay and wouldn't silence).

Parasites

[benjfowler]

Goes to show what amoral shitstains these people are. He's made only a couple of million profit, by causing several orders of magnitude of damage in the process. A bit like those arseholes who steal copper cables off the train network, flog them for a few quid, but disrupt the commutes of thousands of people and rack up huge repair bills. In the animal kingdom, such entities are known as "parasites".

Some questions have to be asked about why it took the Russian Interior Ministry so long to track Paunch and his crew down. Given Putin's "power vertical" and his penchant for interfering in the Russian judiciary and wielding it as a weapon against his perceived enemies, you have to wonder what it was all in aid of -- and what Paunch did to get himself arrested. Maybe the bribes weren't big enough?

Re:Parasites

[ruir]

You could run for politician.

Fat jokes?

if the Russian authorities are correct then his nickname is quite appropriate

He's probably a bad guy, so let's make fat jokes about his photo in the summary. There's absolutely no chance we're humiliating someone innocent, right?

Re:Fat jokes?

if the Russian authorities are correct then his nickname is quite appropriate

He's probably a bad guy, so let's make fat jokes about his photo in the summary. There's absolutely no chance we're humiliating someone innocent, right?

Everyone seems to ignore the second photo, where it appears he was captured by a NINJA!

Re:Fat jokes?

Well, presumably the nickname "Paunch" was either given to guy by his criminal cohorts, or was self-selected. I doubt he would keep the nickname if it didn't describe his girth a little bit. And the guy in the photos definitely has a paunch, so a nickname like "Paunch" or "Fat Tony" would be appropriate. It's not really a joke to point that out.

Typo in title

`Accursed' is missing an `r.'

Small Fry

[VortexCortex]

I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years.

I would disagree and cite NSA's PRISM and FOXACID as a far more important driving force. Even if you disagree about the classification of their action as criminal violations of the US Constitution, consider that they purchase a large volume of zero-day exploits to fuel their "cyber" weapons. This makes selling zero-day exploits on the black market very profitable even if you ended all civilian perpetrated "cyber" assaults.

And when you hack a man, you're a criminal,
Hack many, and you're a terrorist,
Hack 'em all, you're a Government!

My apologizes to Megadeth.

Re:Small Fry

I would not be surprised if one of the buyers of the kit was the NSA, so this could still link back to this kit.

He's going to get pounded

In prison, probably for life.

Governments treat people who harm big business like mass murderers.

Re:He's going to get pounded

This kit wasn't really harming big business, the targets were mostly small businesses and home users. So hopefully they really do get pounded.

Disprove my points on hosts then... apk

See subject + disprove an enumerated list of hosts files' value-> http://www.start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

* Good luck!

However - You'd need MORE than that though: More like a miracle...

No - there's NO technically correct & valid way you can & you know it, I know it - as does anyone else reading with 1/2 a brain...!

(So, instead, the "best you've got" is BOGUS technically unjustifiable downmods of my posts on hosts, & nothing more... losers).

APK

P.S.=> Bottom-line: You WEAK trolls always make me laugh (especially considering that "Run, Forrest: RUN!" vs. my challenge to you to disprove the value of custom hosts files for end-users enumerated in the link above...)

... apkb

However - You'd need MORE than that though: More like a miracle...

No -

A challenge to downmodders... apk

http://it.slashdot.org/comments.pl?sid=4531469&cid=45633071

* :)

(It's ALWAYS A PLEASURE seeing weak trolls continually make FOOLS of themselves, vs. the challenge in the link above that I put to them just to SEE THEM RUN FROM IT, yet again... lmao!)

APK

P.S.=> Of course (per my subject-line & challenge to the bogus technically unjustifiable downmodding trolls), they'll do their USUAL "Run, Forrest: RUN!!! vs. that challenge, lol - guaranteed (since it's IMPOSSIBLE to disprove the list of hosts files value in benefits to end-users of them, in added speed, security, reliability, & even anonymity (to an extent only on the latter))...

... apk

hack kit = death penalty

i am not against hackers, but those who publish "kits" for the wannabes should be killed. just my opinion.

DNS blacklist mechanism

[tepples]

A hosts file is a method of blacklisting hostnames of servers with which you desire not to communicate, such as malware-infested servers and the servers that host social recommendation ("like") widgets that track you and slow down page loads.

"Rinse, Lather, & REPEAT" troll... apk

"Run, Forrest: RUN" -> http://it.slashdot.org/comments.pl?sid=4531469&cid=45633071 You FAIL & you KNOW it...

(Since all you have's invalid downmods, + YOU running from a FAIR CHALLENGE I put to you, & nothing more!)

Hilarious... + the ONLY THING you "regular trolls" are used to, is getting your asses kicked, by "yours truly"...

* Especially on hosts files!

(You unjustly & invalidly "down-modding" my last 2 posts beneath THIS discussion tree PROVES my point for me, with YOU supplying the proof of your failure via technically unjustifiable downmods applied to my posts, & YET you FAILED to meet my challenge to validly technically disprove my points on hosts as well - Thanks!).

APK

P.S.=> Man - It's just (& you're MAKING me just HAVE to say it) "too, Too, TOO EASY - just '2ez'" to blow you away with a challenge to you that you can't meet, every single time, to disprove my points on custom hosts files' efficacy in providing more speed, security, reliability, & even anonymity to end users of them...

... apk

"Ask & ye shall receive"

In my 1st posts' 2nd link (vs. Zeus/Citadel/IceIX) -> http://it.slashdot.org/comments.pl?sid=4531469&cid=45632541 it leads you to the source for said custom hosts file data vs. this!

* :)

(The custom hosts file data provided's (vs. the botnet in question mentioned here in the article on /.) from ZeusTracker - they're HIGHLY ESTEEMED & often used by the security community @ large...)

APK

P.S.=> Still - My program shown in that link from my 1st post, can do the same vs. ZEUS/Citadel/IceIX - & it also does the SAME vs. many other malwares/botnets (+ FAR more that's detrimental to users online also (whereas by way of comparison, that is only vs. ZEUS & its variants only))

... apk

What's the 1st thing you said here?

"The best thing about trolling APK?" - Journal by gmhowell on Thursday June 16, 2011 @06:30PM

You admit trolling me -> http://slashdot.org/~gmhowell/journal/266768

* You're SO full of it, it's not even funny, Mr. "Pot calling a kettle black" hypocrite that you are...

APK

P.S.=> Funny how whenever I level this @ you trolls, you run from it (a FAIR challenge too no less) -> http://it.slashdot.org/comments.pl?sid=4531469&cid=45633071 & vainly *try* to "hide it" with technically unjustifiable downmods (& they are unjustifiable, especially when you run from disproving my points, since it's impossible to do, & you KNOW it)...

... apk

Re:What's the 1st thing you said here?

[gmhowell]

You have confused 'run and hide' with 'don't give a shit'.

Re:What's the 1st thing you said here?

Nobody's confused. Ya ran scared from apk's challenge to you, cowardly troll.

Re:What's the 1st thing you said here?

gmhowell reveals his trollish motivations http://slashdot.org/~gmhowell/journal/266768

Hmm...

[sabbede]

How do we make the punishment fit the crime?

Though I guess a Russian prison is a pretty severe punishment as-is.

Why? Trolls (gmhowell) id themselves

As gmhowell did, stating he trolls apk http://it.slashdot.org/comments.pl?sid=4531469&cid=45638001

gmhowell = admitted troll

gmhowell = admitted troll http://slashdot.org/~gmhowell/journal/266768