This week sees the launch of the latest quarterly AVG Community Powered Threat Report.

So what did the first quarter of 2012 Q1 2012 reveal in terms of threats?

Blackhole Toolkits:

Cyber criminals are adopting an increasingly entrepreneurial attitude through the marketing of ‘commercial’ crimeware kits.  These kits are available to purchase online and effectively give anyone the tools to become a cyber criminal.

This quarter, other commercial crimeware kits lost market share to the most advanced crimeware offering, the Blackhole exploit kit.

During 2011,AVG research shows that the Blackhole toolkit was most popular  and the toolkit of choice for cyber criminals, with AVG research showing that on average, 70 per cent of attacks were performed by variants of Blackhole.

Blackhole is a sophisticated and powerful exploit kit, mainly due to its polymorphic nature, and it is heavily obfuscated to evade detection by anti-malware solutions. These are the main reasons why it has a high success rate.


Commercialization of crimeware

Blackhole creators ‘commercialized’ their product by providing a subscription-based service. Budding cybercriminal buy the rootkit and then try and sell it on to recoup their investment and are therefore also breaking the law.

But what is really interesting is that the Blackhole creators have found a novel way to hold onto the money stream by releasing updates to subscribers only and thereby reducing the numbers of non-paying customers.

Due to the illegality of the practice, it is reasonable to assume that the Blackhole creators expect some of their customers to redistribute or resell copies of the tool kit that they purchased. This is software piracy but because the software itself is illegal, it is not possible to seek legal redress through the normal legal channels.


Is the new Blackhole business model planned obsolescence?

We cannot rule out the possibility that the Blackhole creators don’t try too hard to encrypt the exploit code. Decrypting Blackhole isn’t particularly difficult for anti-virus researchers.

The ease of decryption of the code by the security industry provides a sort of ‘planned obsolescence’ of the creators’ product, meaning any version of the kit which is more than a few days old would be useless.

This allows the creators to create a revenue stream from new versions, which they release as updates only to paying subscribers.

With the planned obsolescence business model, the Blackhole creators are assuring themselves of a recurring stream of revenue from their subscribers.


   Web Threats

Blackhole Exploit Kit

The most active threat on the Web, 43.55% of detected malware


The most prevalent exploit toolkit in the wild; accounts for 39.4% of toolkits


Percentage of exploit toolkits that account for 58% of all threat activity on malicious websites


Percentage of malware uses external hardware devices (e.g. flash drives) as a distribution method (AutoRun)
Mobile Threats


The most popular malicious Android™ application



Number of malicious events detected during Q1 2012
Messaging Threats (Spam)

United States

The top spam source country


Number of spam messages originated from the USA, followed by the UK with 9.7%

The top domain in spam messages


The top language used in spam messages (69.3%)












Social infections and Android:

Consumers are going mobile and so are cyber criminals.

It is no surprise that as more consumers access their favorite social media platforms  through their mobile device that cyber criminals have realized that this a route to a large number of potential victims.

Cyber criminals create malware that spreads on social networks and infects mobile devices to discreetly SMS premium rate numbers at great cost to the compromised party.

The Android platform, with its significant market share, is a big focus for cyber criminals, but social networks are also an increasingly popular channel of attack.

About the report

The Threat Report is put together by collecting data from AVG’s millions of users over a three month period. The gathered data provides an overview of web, mobile devices, spam risks and threats. All statistics referenced are obtained from what we call the AVG Community Protection Network.

The AVG Community Protection Network is an online neighborhood watch, helping everyone in the community to protect each other. Information about the latest threats is collected from customers who choose to participate in the product improvement program and shared with the community to make sure everyone receives the best possible protection.

You can download and read the full AVG Community Powered Threat Report for the first quarter of 2012 from the press site here.