Cisco: Blackhole arrest cuts exploit-kit traffic, but don't let your guard down

Many packages are vying to take the popular kit's place, and security threats still abound, report says

Exploit kits of cybercrime tools fell into a big slump in the first half of this year after Russian authorities nabbed the alleged creator of the popular Blackhole kit, but users aren't necessarily safer.

Blackhole so dominated the shadowy market for exploit kits, or bundles of code for taking advantage of known software vulnerabilities, that the number of URL requests associated with exploit kits fell by 87 percent in the first half, according to the Cisco 2014 Midyear Security Report. The report was released on Tuesday during the Black Hat security conference in Las Vegas.

The report, which combines findings from Jan. 1 through June 30 by various security divisions of Cisco Systems, painted a fairly grim picture overall: One statistic, based on observations of 16 enterprise networks, showed that nearly 94 percent of them had Web traffic go to malware sites, the company said. The company's annual security report last December found that 100 percent of observed enterprises -- 30 enterprises, in that case -- had malware traffic. The report also found a marked increase in attacks against media companies.

Blackhole was linked to numerous cyber attacks until its alleged author, who used the nickname Paunch, was arrested last October. There were many exploit kits based on Blackhole, but activity around those has died down since Paunch's arrest. In the meantime, many different kits have been vying for hackers' attention, said Levi Gunder, a technical team leader at Cisco. Exploit-kit creators compete much like makers of any product do, on features (such as how many exploits are included) and customer service, he said.

"There will be a new market leader in the underground," Gunder said. "I think it's just a matter of time before another Blackhole ... emerges and claims dominance."

For the midyear report, Cisco's SourceFire Vulnerability Research Team (VRT) analyzed URL requests on the Internet to determine if the code that generated them came from a known exploit kit. The sharp decline in exploit kit identifications may not mean less malware is out there, Gunder warned. For one thing, some kits are harder to recognize than others. For example, the Sweet Orange kit uses a new pattern every day to create URLs for the rogue pages where it sends victims. "It's very difficult to track from the typical indicators we've used in the past," he said.

Web users frequently get redirected to malware sites by code built into online display ads, which can hijack a browser even if the user never clicks on the malicious ad, Gunder said. Often, the bad site appears briefly as a blank white page. But in the meantime, it will load malware on the user's system that can do just about anything if the computer doesn't have up-to-date protections installed, he said.

Between 5 percent and 10 percent of all enterprise Web traffic involves so-called malvertising, judging by results from Cisco's CWS (Cloud Web Security) service. CWS analyzes all Web requests from customers around the world who want their traffic monitored for security reasons. CWS looked at 2 billion to 3 billion Web requests, Gunder said.

"This stuff is just rampant," he said. Purveyors of malicious ads buy their way onto legitimate sites through the same exchanges that distribute ordinary ads, paying to have their spots appear every few times the page is shown to a user, Gunder said. The exchanges try to prevent this, but it's hard because there's nothing malicious about the ads themselves, just the URLs that they send visitors to.

"What the evidence shows to date is, they have not been very successful in doing that," he said.

When hackers look for ways to attack, they usually go after Java, especially older versions of the architecture. Of all the indicators that computers had been compromised in the first half of the year, 93 percent pointed to a Java vulnerability, Cisco found. That was up from 91 percent in the previous six months.

Java is the target of choice because so many consumers and businesses use it, especially in browsers, and most don't update it when they need to, Gunder said. Those who do will get redirected to malicious sites just like anyone else, but their systems won't be compromised.

While updating Java is easy for consumers as long as they notice alerts of new versions, it can be more complicated for enterprises, Gunder said. They may have built complex and critical applications based on Java and can't quickly modify that code to run on the new version. It may take six months just to draft a migration plan, while more Java updates in response to new threats are likely to come in the meantime, he said. To help mitigate the dangers, Gunder advised enterprises to closely watch the Web traffic exiting their networks for evidence of exploitation.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Cisco Systemssecurityblack hat

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stephen Lawson

IDG News Service
Show Comments

Cool Tech

Xiro Drone Xplorer V -3 Axis Gimbal & 1080p Full HD 14MP Camera

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >


Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Stocking Stuffer

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on Good Gear Guide

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?