Cisco: Blackhole arrest cuts exploit-kit traffic, but don't let your guard down

Many packages are vying to take the popular kit's place, and security threats still abound, report says

Exploit kits of cybercrime tools fell into a big slump in the first half of this year after Russian authorities nabbed the alleged creator of the popular Blackhole kit, but users aren't necessarily safer.

Blackhole so dominated the shadowy market for exploit kits, or bundles of code for taking advantage of known software vulnerabilities, that the number of URL requests associated with exploit kits fell by 87 percent in the first half, according to the Cisco 2014 Midyear Security Report. The report was released on Tuesday during the Black Hat security conference in Las Vegas.

The report, which combines findings from Jan. 1 through June 30 by various security divisions of Cisco Systems, painted a fairly grim picture overall: One statistic, based on observations of 16 enterprise networks, showed that nearly 94 percent of them had Web traffic go to malware sites, the company said. The company's annual security report last December found that 100 percent of observed enterprises -- 30 enterprises, in that case -- had malware traffic. The report also found a marked increase in attacks against media companies.

Blackhole was linked to numerous cyber attacks until its alleged author, who used the nickname Paunch, was arrested last October. There were many exploit kits based on Blackhole, but activity around those has died down since Paunch's arrest. In the meantime, many different kits have been vying for hackers' attention, said Levi Gunder, a technical team leader at Cisco. Exploit-kit creators compete much like makers of any product do, on features (such as how many exploits are included) and customer service, he said.

"There will be a new market leader in the underground," Gunder said. "I think it's just a matter of time before another Blackhole ... emerges and claims dominance."

For the midyear report, Cisco's SourceFire Vulnerability Research Team (VRT) analyzed URL requests on the Internet to determine if the code that generated them came from a known exploit kit. The sharp decline in exploit kit identifications may not mean less malware is out there, Gunder warned. For one thing, some kits are harder to recognize than others. For example, the Sweet Orange kit uses a new pattern every day to create URLs for the rogue pages where it sends victims. "It's very difficult to track from the typical indicators we've used in the past," he said.

Web users frequently get redirected to malware sites by code built into online display ads, which can hijack a browser even if the user never clicks on the malicious ad, Gunder said. Often, the bad site appears briefly as a blank white page. But in the meantime, it will load malware on the user's system that can do just about anything if the computer doesn't have up-to-date protections installed, he said.

Between 5 percent and 10 percent of all enterprise Web traffic involves so-called malvertising, judging by results from Cisco's CWS (Cloud Web Security) service. CWS analyzes all Web requests from customers around the world who want their traffic monitored for security reasons. CWS looked at 2 billion to 3 billion Web requests, Gunder said.

"This stuff is just rampant," he said. Purveyors of malicious ads buy their way onto legitimate sites through the same exchanges that distribute ordinary ads, paying to have their spots appear every few times the page is shown to a user, Gunder said. The exchanges try to prevent this, but it's hard because there's nothing malicious about the ads themselves, just the URLs that they send visitors to.

"What the evidence shows to date is, they have not been very successful in doing that," he said.

When hackers look for ways to attack, they usually go after Java, especially older versions of the architecture. Of all the indicators that computers had been compromised in the first half of the year, 93 percent pointed to a Java vulnerability, Cisco found. That was up from 91 percent in the previous six months.

Java is the target of choice because so many consumers and businesses use it, especially in browsers, and most don't update it when they need to, Gunder said. Those who do will get redirected to malicious sites just like anyone else, but their systems won't be compromised.

While updating Java is easy for consumers as long as they notice alerts of new versions, it can be more complicated for enterprises, Gunder said. They may have built complex and critical applications based on Java and can't quickly modify that code to run on the new version. It may take six months just to draft a migration plan, while more Java updates in response to new threats are likely to come in the meantime, he said. To help mitigate the dangers, Gunder advised enterprises to closely watch the Web traffic exiting their networks for evidence of exploitation.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags black hatCisco Systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stephen Lawson

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?