Meet Paunch: the Accused Author of the BlackHole Exploit Kit

tsu doh nimh writes "In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as 'Paunch,' the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today. According to pictures of the guy published by Brian Krebs, if the Russian authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000 a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits. As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story: 'The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.'"

his only fault

[gl4ss]

his only fault was that he didn't incorporate in France and didn't have NSA as a client.

see, if you have offices and suits and your customers wear suits then the business is legit.

CHIPs?

[rotorbudd]

You mean Eric Estrada was a malware kingpin?
I don't believe it!

Re:CHIPs?

You mean Eric Estrada was a malware kingpin?
I don't believe it!

How is that hard to believe? His sidekick was busted for stock fraud.

Re:CHIPs?

[93+Escort+Wagon]

I can't believe Marco is a drug kingpin. Sparks, on the other hand...

Re:I am confused.

[platypussrex]

I'm certainly not an expert on this, but TFA says they "rent" the kit, and in a linked article it mentions administrative user panels for the people who rent the product, so it sounds as if you don't actually buy the code, but rather rent access to a system that lets you acquire and manipulate your botnet.

Re:I am confused.

[platypussrex]

it gets even better. In the linked article it explains that Paunch sells ads that appear in the control panels for all the renters, so not only does he get income from renting the system, he he also gets the income from that ads that are popping up in your system after you rent it from him!

Re:I am confused.

[module0000]

You're not buying the skeleton of the kit - you're buying the kit equipped with the latest 0-days to be effective. The last thing you'd want to do after you pay thousands for a 0-day exploit and the kit as a payload - is give it away. Then it's in the wild and antivirus is going to protect against it.

Parasites

[benjfowler]

Goes to show what amoral shitstains these people are. He's made only a couple of million profit, by causing several orders of magnitude of damage in the process. A bit like those arseholes who steal copper cables off the train network, flog them for a few quid, but disrupt the commutes of thousands of people and rack up huge repair bills. In the animal kingdom, such entities are known as "parasites".

Some questions have to be asked about why it took the Russian Interior Ministry so long to track Paunch and his crew down. Given Putin's "power vertical" and his penchant for interfering in the Russian judiciary and wielding it as a weapon against his perceived enemies, you have to wonder what it was all in aid of -- and what Paunch did to get himself arrested. Maybe the bribes weren't big enough?

Re:That's not even good money.

[DarkOx]

I think your ignoring how some of these people get into this criminal line of work. Suppose you had been doing honest work as developer, or maybe even something like a pen tester. Suppose one day you discover a really reliable vulnerability you can exploit in some really really widely used software, maybe the SMB service on Windows or something. It works just about everywhere and gets privileged access.

Now you got choices:

Tell the vendor - who may be happy to hear from you so they can quickly and quietly patch it. They may even pay you a small bounty. The may also do nothing. They could potentially even try and prosecute you. I can tell you I WOULD NEVER CHOOSE THIS OPTION, little possibility for reward lots of potential for pain.

Publish it in the legitimate white had security world -- Probably the best choice. You'll be getting your name out there which can really help you. You might even be able to make some money off it directly by talking about it at the various *cons.. The vendor or project will be forced to fix the vulnerability which is good because that actually makes everyone safe. If you publish in the proper venue at least people who care enough to follow this stuff will be able to take some mitigation steps until a proper fix is available.

Sell it -- risky sure, but might not be all that difficult these days. Could be lots quick money. Awful hard to say no to a quick $50K shot in the arm. You certainly risk jail and could lose everything, but that calculation then depends on your current situation. If you have a good job and are living comfortable with some savings you'd probably be crazy to try it. On the other hand if you're sitting there wondering how your paying the rent this month and contemplating ramen noodles for dinner again; taking your chances on something like that might be pretty appealing.