A major police operation spanning Germany, Australia, Denmark, Sweden, Italy, France and The Netherlands has targeted people who bought the Blackshades malware.
According to Cyber Warzone, 70 homes have been entered in France, while a Dutch civilian said on Twitter that his house had been entered and his hard drives had been seized.
According to PC World, Blackshades was still widely used as of the end of last year. Research by Symantec found that Blackshades, which it classified as W32.Shadesrat, will gather passwords and credentials from infected systems and send them back to the malicious command-and-control server. “Upon investigation, we found a connection to the Cool Exploit Kit, which has been used to distribute W32.Shadesrat, but also several other malware families,” it said.
Troy Gill, senior security analyst at AppRiver, said that despite the arrest of the author of Blackshades in 2012, and that these busts have come a little later than might be expected, he said that it is not inconceivable to think that information or access gleaned in the authors arrest could have been instrumental in facilitating this coordinated effort.
He said: “We saw Blackshades being distributed heavily via the Neutrino exploit kit in 2013, it is a Remote Access Trojan that gives the attacker a great deal of control over the victims machine.
“Blackshades has also been known to contain web cam control capabilities as well as ransomware. In addition, Blackshades behaves like a worm in that it contains self-propagation mechanisms to facilitate its spreading to other machines. Its low price certainly makes it an attractive option for low level cyber criminals or any cyber criminal that simply wants one extra weapon in their arsenal.”
Lamar Bailey, director of security research and development at Tripwire, said: “Blackshades has been around since at least 2010 and the source code was ‘leaked’ about three years ago but various versions are still for sale, and the prices range for $40-$100 depending on the specific variant
“Due to the low costs and Blackshades being open source, it has a very wide distribution and attackers use it to collect as much data as possible then the credit cards numbers, financial logins, and person information are sold on the black market.”
Bailey called the action by multiple Governments “an unusual occurrence”, especially when it is being done by multiple agencies across multiple countries around the same time.
He said: “Going after the buyers is an interesting tacit. If the various law enforcement agencies arrest people who give up access to the command and control servers, then law enforcement can try to upload new versions of Blackshades that would neuter many of the versions in the wild and this could be an effective eradication program.”
TK Keanini, CTO of Lancope, called the action “awesome”, and said everyone must do their part to raise the cost for cyber criminals. “Actions like these cause them to change their tactics and even retool; and this costs them which is a good thing,” he said.
“It is all one big system and everyone has a role. As victims make it more difficult for cyber criminal methods, they in turn cause the attacker to act in ways that may make them more exposed, making it easier for the crime fighters to do their jobs and ultimately make arrests. Cyber security is everyone’s problem and everyone has a role they must play.”