Forgot your password?
typodupeerror
Security IT

WMF Exploit Sold Underground for $4,000 166

Posted by CmdrTaco
from the now-that's-just-scary dept.
tero1176 writes "Eweek has a story with information from Kaspersky showing that exploit code used in the WMF malware attack was being peddled on underground sites by rival Russian hacker groups for $4,000 in early December. The first sign of an exploit was traced back to the December 1, 2005, a full month before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code. It serves as more proof that the market for malware is well and truly alive."
This discussion has been archived. No new comments can be posted.

WMF Exploit Sold Underground for $4,000

Comments Filter:
  • Bad Deal (Score:4, Interesting)

    by lseltzer (311306) on Thursday February 02, 2006 @05:36PM (#14630028)
    The exploit is a flop. The guy should get his money back.
    • Re:Bad Deal (Score:3, Informative)

      by hal9000(jr) (316943)
      The exploit is a flop. The guy should get his money back.

      Huh? It worked just dandy on all the machines I tested on. Well, at least the Metasploit WMF exploit [metasploit.com] mods did.

      It's not the sellers fault those pesky white hat hackers discovered it so soon. :) Buyer beware!
      • Re:Bad Deal (Score:3, Insightful)

        by lseltzer (311306)
        It worked, but it was supposed to be the tool of a major outbreak that never materialized, and is now unlikely to.
        • Re:Bad Deal (Score:3, Insightful)

          by grcumb (781340)

          "It worked, but it was supposed to be the tool of a major outbreak that never materialized, and is now unlikely to."

          True, but it never happened in the same way the Y2K crisis 'didn't happen'. It was prevented by the concerted action of a very large number of people who re-emptively developed and deployed a patch to fill the gap until the vendor-provided one happened along. If it hadn't been for the public dissemination of the risk assessment and analytical data, this could have been a big problem.

          That s

    • Re:Bad Deal (Score:4, Insightful)

      by DrSkwid (118965) on Thursday February 02, 2006 @06:30PM (#14630495) Homepage Journal
      If you buy an exploit for $4000, chances are you already have a target.

      And, you've probably bought one before and made more than the $4000 you are about to spend.

      Perhaps they got the trade secrets / passwords they were after in a few hours, not the month it took to become Zero Day, lol, now there's a misnomer !
  • by ackthpt (218170) * on Thursday February 02, 2006 @05:38PM (#14630042) Homepage Journal
    It serves as more proof that the market for malware is well and truly alive."

    Do you suppose Microsoft will try to enter this market, too?

  • by Orrin Bloquy (898571) on Thursday February 02, 2006 @05:39PM (#14630050) Journal
    ...open source exploits for a commercial OS?

    Joke, don't waste your mod points here.
  • by davidgrouchy (661051) on Thursday February 02, 2006 @05:41PM (#14630073) Homepage Journal
    Will my AT&T "platinum," "gold" and "silver" levels of Internet access provide access to this underground market ?
  • by Dragon of the Pants (913545) on Thursday February 02, 2006 @05:44PM (#14630103) Homepage
    In Soviet Russia, code exploits you!
    • Re:Russians eh? (Score:3, Insightful)

      by dasnov (900499)
      how many times will 'jokes' like this be modded funny?
      • I think they were moderating the sig.
      • Re:Russians eh? (Score:3, Insightful)

        by miffo.swe (547642)
        The whole point of jokes like that is they get funnier the more worn out and lame they get. They arent supposed to be funny in themselves. I suppose its a cultural thing. I cant stand slapstick and US humour with pie throwing and at the same time i cant understand why someone dont think the dead parrot with Monty Python is hilarious.
        • I understand this phenomenon, but I don't think the "in Soviet Russia..." joke is a good example of it. "No one expects the Spanish Inquisition!" is one that gets better every time IMO.
          • Also the fact that things like the Spanish Inquisition are used so infrequently these days that when one actually is used it's that much more effective. Last time I said "supposing two carried it together" it got quite a few laughs.
      • for as long as they are funny

        f007
      • comedy questions you!
    • Re:Russians eh? (Score:1, Redundant)

      by caluml (551744)
      In Soviet Russia, you exploit hackers!
    • don't you mean ex-Soviet?

      ---
      and yes /. sometimes I *can* write a reply in less than 15 seconds.
    • here's the thing. This joke isn't funny unless it's true the other way. In this case... people don't exploit code... got it?
      It's really not that hard of a concept. Something like "In Soviet Russia, car drives you". That works. Or one I invented: "In Soviet Russia, Market sells YOU". Just so you know for the future, jokes have to make sense.
  • I wonder how much someone from an A/V company paid "Melissa" to leave the guy who wrote the virus/worm ?

    Is it just me or does it seem like there is no money to be made with this "underground" stuff. $20 for Win NT/2000 source $4,000 for this.
    Maybe he should sue Apple, I have to believe he bought an iPod with his new found treasure, and we all know it kills ears dead http://it.slashdot.org/comments.pl?sid=175984&cid= 14627254 [slashdot.org]
  • My biggest question is, where is the eBay link to the sale?
    • I don't know if it was the .wmf exploit, but there was an exploit for sale on eBay [ebay.com] during the first week of December, 2005. This was referenced [seclists.org] in the Full-Disclosure mailing list, which is archived at seclists.org (among other places). the auction may have been a hoax, but eBay cancelled it anyway.
  • And who is surprised (Score:5, Interesting)

    by theCat (36907) on Thursday February 02, 2006 @05:51PM (#14630171) Journal
    There have been shadowy glimpses of this "other economy" for a while, in the bot army cottage industry and the various rackets where popular sites are threatened with black-out if they don't pay for "protection". But all that is just the warmup to the big show.

    Organized crime has found the internet, and they seem to like what they see. It's just like one huge, dark alley lined with endless smoke-filled lounges. Lots of seamy places to meet up. Anonimity if you want it. Under-the-table dealings. Faceless bosses and eager young turks with itchy trigger fingers.

    The perfect growth media for scum and parasites.
    • Organized crime has found the internet, and they seem to like what they see. It's just like one huge, dark alley lined with endless smoke-filled lounges. Lots of seamy places to meet up. Anonimity if you want it. Under-the-table dealings. Faceless bosses and eager young turks with itchy trigger fingers.

      The perfect growth media for scum and parasites.


      You misspelled AT&T a few times in there.
    • oh be fair and leave the white house out of this.. you know W can't read
    • So the internet is basically Tatooine? That rocks!

      -WS
    • Organized crime has found the internet

      I suddenly had a vision of Robert DeNiro in "Analyze This!", saying "Get with the times? What do you want to do, start a fuckin' web page?"
    • I think that you're taking the analogy way the hell too far. Think of it, this exploit was one of the more effective Windows exploits for a while - at least of those that I remember - and it sold for a measly 4000 bucks. This is way too little for any serious criminals to get involved. While I don't know the exact prices, I'm sure that it is much much easier to generate returns of this scale by selling small quantities of drugs, which is easier, takes much less education and skill, and is a lot less tracab
    • "Organized crime"? Oh, no. I know such guys - not in person, but I've had "talks" with them online - they are surprisingly blunt with us, russian security specialists and webmasters. They are mostly young (17-25) russians, living in exUSSR republics (Estonia, Ukraine), usually jobless - or even if they have a job, an income is usually very low. They are just geeks who have chosen a dark side of the Force.
  • It serves as more proof that the market for malware is well and truly alive.

    No kidding, they've got a whole aisle over at Fry's for this stuff. No, not the anti-viral stuff. Look over in the office productivity and word processing section. They even bundle it together sometimes!
  • So, let's hear someone argue against full disclosure now, eh?
    • So, let's hear someone argue against full disclosure now, eh?

      I'm fairly confident that Microsoft would not be able to keep up with the wave of bugs discovered once/if they do release their source. They have a hard time keeping up as it is.

    • Well, there are two possibilities:

      Either a white hat discovers a vulnerability when it's already known by some black hats or the vulnerabity isn't known by any blackhats yet.

      In the first case, full disclosure means that everyone will know it, which will allow all the black hats to exploit the public with it before the company has a chance to fix it and deploy (or at least try) the fix. Those are the disadvantages - the only advantage I see is that no black hats will be able to make money selling the vulnera
      • With full disclosure, users can be warned ahead of time.

        also, with full disclosure companies won't be able to ignore it to begin with.

      • In the first case, full disclosure means that everyone will know it, which will allow all the black hats to exploit the public with it before the company has a chance to fix it and deploy (or at least try) the fix.

        BZZZZT! WRONG!

        The only people going to be exploited in this case are the people who CONTINUE TO USE THE SERVICE DESPITE PUBLIC KNOWLEDGE THAT IT IS INSECURE.

        Imagine there's a server out there with all your financial infomation on it. If someone gets access to it you'll be ruined. Do you reall
  • It just goes to show how much the underground actually retains as far as exploit code is concered. Makes you think what else is circulating which the general public doesnt know about.
  • The War Against Spam (Score:5, Interesting)

    by Phroggy (441) * <[moc.yggorhp] [ta] [3todhsals]> on Thursday February 02, 2006 @06:01PM (#14630267) Homepage
    This is a huge issue that the general public is completely unaware of. Most people still believe that viruses are created as an annoying prank by kids with something to prove. This may be true in some cases, but most of the malware out there now is created for a very specific purpose: building a botnet that can be sold for cold hard cash to the highest bidder. Who's buying them? Spammers.

    It used to be that spammers would look for open relay servers in third-world countries, and let those servers do all the work of actually sending the messages. The server administrators either didn't care, or didn't know how to fix the problem, and the language barrier made things difficult. So, people started making blacklists of known open relays, and just refusing any mail that came from those IPs. Spammers would keep finding more open relays, and the blacklists grew.

    Eventually, mail servers started coming pre-configured not to allow relaying, and as servers were upgraded, spammers had to move on. Spammers started commissioning worms, paying people to write software that would infect Windows machines remotely over the Internet, and open up a backdoor for the spammers to access. Suddenly you've got hundreds of thousands of IP addresses responsible for sending spam, with many of them on dynamic IPs. There's no good way to blacklist them all, since they keep changing!

    Enter Windows XP Service Pack 2, with a software firewall enabled by default. As people upgrade, worms like Code Red and Nimda are no longer effective. So what's next? Spreading viruses through e-mail, IM, and the Web.

    So, look for improvements in antivirus software in the next couple of years, as the war against spam continues. Then look for the spammers to find a new way to get their crap into your inbox.
    • by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday February 02, 2006 @06:24PM (#14630459) Homepage Journal

      Enter Windows XP Service Pack 2, with a software firewall enabled by default. As people upgrade, worms like Code Red and Nimda are no longer effective. So what's next? Spreading viruses through e-mail, IM, and the Web.

      You left out something important: Outlook express would execute code by default, so email was kind of the de facto vector for virus propagation until they started closing down OE [somewhat] and that's when worms really took off.

      Before that, it was mostly viruses attached to programs. You'd attach a new virus to some really desirable warez and upload the stuff to a BBS. The BBS owner would run the software and the virus would attach itself to lots of other software, any time they repacked it for their chosen archive format...

      • Before that, it was mostly viruses attached to programs. You'd attach a new virus to some really desirable warez and upload the stuff to a BBS. The BBS owner would run the software and the virus would attach itself to lots of other software, any time they repacked it for their chosen archive format...

        That was a different kind of virus, not sponsored by spammers. Back then, it really WAS created by kids with something to prove, and there was no money in it.

        You're right about Outlook Express (although I thin
        • although I think Outlook was even more vulnerable than OE was

          Depends on the version, Pre 2000 Outlook, ya probably, but in 2000 Microsoft started locking attachments and in page HTML abilities from the users by default, even if the user assumed them to be safe. For example, a .url, .vbs, .exe - etc would not be able to be opened or retreived in Outlook even if the user wanted the file.
      • The BBS owner would run the software and the virus would attach itself to lots of other software, any time they repacked it for their chosen archive format...

        I think you mean each time they inserted an advertisement for their BBS into every archive that passed through. It wasn't uncommon to download zips with ads for several different boards.

        • Actually, you don't have to unpack a zip to add a comment. It's only if you're changing to rar/ace/zoo/whatever (I used LHA, in the short time I ran anything, but it was pre-RAR) that your executables are necessarily exposed.
  • DRM needed (Score:5, Funny)

    by Anonymous Coward on Thursday February 02, 2006 @06:05PM (#14630299)
    Ironically, copies of the exploit were pirated by a group of Chinese hackers and sold on Ebay for pennies on the dollar...
  • by OctoberSky (888619) on Thursday February 02, 2006 @06:16PM (#14630383)
    This is one of those "Do we, the media, report it?" stories.
    This article is pretty meaningless as far as the bigger picture goes, and it probably could have gone unpublished in my mind and no one would have really cared. But it may do more damage than good by being published.
    This article shows, and maybe it's because I work with criminals all day (Public Defenders office), that writing malware pays. Before it was for notoriety or to prove you could or to piss people off, but now it can provide an income source and I think we will be seeing more of it from now on just because people are going to be trying to make a buck off of it.
    We live in a socitey where a Million-Dolllar-Homepage gets filled (it recently did), where the Gotti family has its own TV show and where Carrot top is a rich man. Our lust for money leads us down the less then friendly paths, and this article reports, once again... that crime does infact pay.
    • Yea, but everyone already knew that (crime pays). Luckily, finding security holes in products is hard work and that keeps most of the criminally inclined away.
    • You only have to look at the history of the world and where the govts. of Europe came from.

      My govt. is the ashes of the 1066 invasion of England by France, definitely a crime. Our Royal Family are some of the world's richest people. They didn't amass that fortune through hard work, sweat and toil. Their ancestors killed people for it. Plain and simple.

      Crime pays, it even pays you!

  • Hmm.. (Score:3, Funny)

    by punkr0x (945364) on Thursday February 02, 2006 @06:24PM (#14630452)
    So is windows exploits are worth $4,000 a pop, and Bill Gates is worth something like $50 billion, that adds up to... 12.5 million windows exploits. That number seems a little low, must be not all of them are worth 4 grand.
  • by jbeaupre (752124) on Thursday February 02, 2006 @06:34PM (#14630530)
    It will cost an extra $500 to get set up to sign your malware in order for it to install. Good thinking Microsoft. That extra 12.5% tax will make it totally uneconomical.
  • by unholy1 (764019)

    From summary: "The first sign of an exploit was traced back to the December 1, 2005, a full month before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code."

    From article: "The first sign of an exploit was traced back to the middle of December 2005, a full two weeks before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code..."

    Oh... actually, to be fair, the article does carry on to say: "...it was most likely that t

  • I misread that as 'WMDs Exploit sold underground for $4,000'.

    Of course, WMDs would read 'WMDs exploit sold by administration for $Several hundred billion '

  • Amusing advert (Score:4, Insightful)

    by eyepeepackets (33477) on Thursday February 02, 2006 @07:27PM (#14630850)
    How appropriate that a Microsoft "Get the Facts" ad should show up at the top of this particular page -- gotta love that Murphy guy when he works in your favor.

    To the Microsoft Marketing folks: I'd trade you a fact for a clue but since you have neither facts nor clues I guess we won't be doing business any time soon.

    Cheers.

  • by keen (86192) on Thursday February 02, 2006 @08:02PM (#14631110)
    According to Gostev, the rival hacker gangs did not seem to fully understand the exact nature of the vulnerability.

    Otherwise it should have gone for much more than $4,000, even in a black market. Imagine an exploit where you can gain access to any Windows computer on Earth for the last several builds of Windows?

    This is why we should set up companies to act as middleman and legitimately buy exploits. They would pay more and we would be able to get things patched quicker.
  • by AyeRoxor! (471669) on Thursday February 02, 2006 @08:19PM (#14631220) Journal
    "[...] the vulnerability was detected by an unnamed person around Dec. 1, 2005."

    Ok, what are the chances that this person really has no name?!

    I'm going to have to call shenanigans on this whole article.

  • Whatever happened to hackers wanting all information to be free?
  • I think it is unfair that it is first offerd to the people who pay money for it and only later to others. Especialy unfair to Microsoft who would NEVER do such a thing.

  • by saboola (655522) on Thursday February 02, 2006 @10:13PM (#14631865)
    Exploit works as advertised!!! Speedy email!! Would Buy From AGAIN!! A+++++++++++! :)

Any given program, when running, is obsolete.

Working...