Here in the VRT, we keep a pretty close eye on Exploit Kits, their trends, their pattern shifts, and how we can protect our customers against these exploit kits in the real world.

Recent headlines from various news agencies stated that the author of the Blackhole and Cool exploit kits, who goes by the nickname of "paunch" was arrested a couple weeks ago.  Several articles document a decline in the number of Blackhole and Cool exploit kits now being seen in the wild.  We were also observing this trend.

However, it was a decline, not a complete falloff.  (So remain vigilant) (the site used to encrypt the Blackhole exploit kit) is now completely offline, and that's pretty telling.  The exploits included in the Blackhole kit are about a week and a half old at this point.  (They shifted faster prior to the arrest).   The last date we observed significantly high numbers was on the 9th of October, since then Blackhole prevalence has declined to almost zero.  We've seen Blackhole in the wild since, but as I said before, with older content.

Exploit kits such as Neutrino, Styx, and Nuclear's detection rate has stayed about the same, X2O looks like it has a spurt of activity periodically, some exploit kits such as Fiesta and Whitehole barely make a dent in the numbers.

However, Sweet Orange increased drastically shortly after "Paunch"'s arrest. An increase of about 214%.  We observed the port that hosted the landing page and exploits move at least three times during its surge.  However, since October 17th or so, Sweet Orange has also disappeared.

Also, for some color, 98% of compromises were done through Java.  The other 2 percent are all other exploit methods (Adobe Reader, Flash, Browser, etc) combined, according to our desktop antivirus products FireAMP and Immunet.

Recommendation?  Turn off Java in the browser.  It's at least a start!