Exploit kits of cybercrime tools fell into a big slump in the first half of this year after Russian authorities nabbed the alleged creator of the popular Blackhole kit, but users aren't necessarily safer.
Blackhole so dominated the shadowy market for exploit kits, or bundles of code for taking advantage of known software vulnerabilities, that the number of URL requests associated with exploit kits fell by 87 percent in the first half, according to the Cisco 2014 Midyear Security Report. The report was released on Tuesday during the Black Hat security conference in Las Vegas.
The report, which combines findings from Jan. 1 through June 30 by various security divisions of Cisco Systems, painted a fairly grim picture overall: One statistic, based on observations of 16 enterprise networks, showed that nearly 94 percent of them had Web traffic go to malware sites, the company said. The company's annual security report last December found that 100 percent of observed enterprises -- 30 enterprises, in that case -- had malware traffic. The report also found a marked increase in attacks against media companies.
Blackhole was linked to numerous cyber attacks until its alleged author, who used the nickname Paunch, was arrested last October. There were many exploit kits based on Blackhole, but activity around those has died down since Paunch's arrest. In the meantime, many different kits have been vying for hackers' attention, said Levi Gundert, a technical team leader at Cisco. Exploit-kit creators compete much like makers of any product do, on features (such as how many exploits are included) and customer service, he said.
"There will be a new market leader in the underground," Gundert said. "I think it's just a matter of time before another Blackhole ... emerges and claims dominance."
For the midyear report, Cisco's SourceFire Vulnerability Research Team (VRT) analyzed URL requests on the Internet to determine if the code that generated them came from a known exploit kit. The sharp decline in exploit kit identifications may not mean less malware is out there, Gundert warned. For one thing, some kits are harder to recognize than others. For example, the Sweet Orange kit uses a new pattern every day to create URLs for the rogue pages where it sends victims. "It's very difficult to track from the typical indicators we've used in the past," he said.
Web users frequently get redirected to malware sites by code built into online display ads, which can hijack a browser even if the user never clicks on the malicious ad, Gundert said. Often, the bad site appears briefly as a blank white page. But in the meantime, it will load malware on the user's system that can do just about anything if the computer doesn't have up-to-date protections installed, he said.
Sign up for Computerworld eNewsletters.