WMF Exploit Sold Underground for $4,000

tero1176 writes "Eweek has a story with information from Kaspersky showing that exploit code used in the WMF malware attack was being peddled on underground sites by rival Russian hacker groups for $4,000 in early December. The first sign of an exploit was traced back to the December 1, 2005, a full month before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code. It serves as more proof that the market for malware is well and truly alive."

Re:Russians eh?

[dasnov]

how many times will 'jokes' like this be modded funny?

Re:Bad Deal

[lseltzer]

It worked, but it was supposed to be the tool of a major outbreak that never materialized, and is now unlikely to.

Re:Russians eh?

[miffo.swe]

The whole point of jokes like that is they get funnier the more worn out and lame they get. They arent supposed to be funny in themselves. I suppose its a cultural thing. I cant stand slapstick and US humour with pie throwing and at the same time i cant understand why someone dont think the dead parrot with Monty Python is hilarious.

Re:The War Against Spam

[drinkypoo]

Enter Windows XP Service Pack 2, with a software firewall enabled by default. As people upgrade, worms like Code Red and Nimda are no longer effective. So what's next? Spreading viruses through e-mail, IM, and the Web.

You left out something important: Outlook express would execute code by default, so email was kind of the de facto vector for virus propagation until they started closing down OE [somewhat] and that's when worms really took off.

Before that, it was mostly viruses attached to programs. You'd attach a new virus to some really desirable warez and upload the stuff to a BBS. The BBS owner would run the software and the virus would attach itself to lots of other software, any time they repacked it for their chosen archive format...

Re:Bad Deal

[grcumb]

"It worked, but it was supposed to be the tool of a major outbreak that never materialized, and is now unlikely to."

True, but it never happened in the same way the Y2K crisis 'didn't happen'. It was prevented by the concerted action of a very large number of people who re-emptively developed and deployed a patch to fill the gap until the vendor-provided one happened along. If it hadn't been for the public dissemination of the risk assessment and analytical data, this could have been a big problem.

That said, the damage was also mitigated by the fact that the black hats using the exploit decided not to package it in a highly virulent form. Nonetheless, the potential for widespread damage was very real - and remains a danger to those few who have yet to patch their systems.

Re:Bad Deal

[DrSkwid]

If you buy an exploit for $4000, chances are you already have a target.

And, you've probably bought one before and made more than the $4000 you are about to spend.

Perhaps they got the trade secrets / passwords they were after in a few hours, not the month it took to become Zero Day, lol, now there's a misnomer !

Amusing advert

[eyepeepackets]

How appropriate that a Microsoft "Get the Facts" ad should show up at the top of this particular page -- gotta love that Murphy guy when he works in your favor.

To the Microsoft Marketing folks: I'd trade you a fact for a clue but since you have neither facts nor clues I guess we won't be doing business any time soon.

Cheers.

Re:And who is surprised

[Dr.Syshalt]

"Organized crime"? Oh, no. I know such guys - not in person, but I've had "talks" with them online - they are surprisingly blunt with us, russian security specialists and webmasters. They are mostly young (17-25) russians, living in exUSSR republics (Estonia, Ukraine), usually jobless - or even if they have a job, an income is usually very low. They are just geeks who have chosen a dark side of the Force.

They didn't know how much it was worth

[__aaijsn7246]

According to Gostev, the rival hacker gangs did not seem to fully understand the exact nature of the vulnerability.

Otherwise it should have gone for much more than $4,000, even in a black market. Imagine an exploit where you can gain access to any Windows computer on Earth for the last several builds of Windows?

This is why we should set up companies to act as middleman and legitimately buy exploits. They would pay more and we would be able to get things patched quicker.

Society back to the stone age?

[mnmn]

I've seen powerouts but geez. Stone age? People in the Bronze age didnt require MS Windows did they?

At best millions of people will be bugged and Linux and Apple vendors will have a hell of a time selling their OSes.

Re:Security Through Obscurity, anyone?

[theLOUDroom]

In the first case, full disclosure means that everyone will know it, which will allow all the black hats to exploit the public with it before the company has a chance to fix it and deploy (or at least try) the fix.

BZZZZT! WRONG!

The only people going to be exploited in this case are the people who CONTINUE TO USE THE SERVICE DESPITE PUBLIC KNOWLEDGE THAT IT IS INSECURE.

Imagine there's a server out there with all your financial infomation on it. If someone gets access to it you'll be ruined. Do you really want to just *hope* that no one takes advantage of the vunerability, OR would you rather they just unplug that box until the fix is ready in 24 hours.

Full disclosure puts the pressure where it belongs (better fix it before I switch to a different platform) and allows users to make an informed decision about what software to use.

Re:Bad Deal

[Anonymous Coward]

"It worked, but it was supposed to be the tool of a major outbreak that never materialized, and is now unlikely to."

How would you know?

I mean, OK in this case you can probably look at various historical logged data, scanning for messages with vulnerability-exploiting code in them. But generally, if something doesn't send a thousand packets per second, doesn't make your computer run slow, and does't make XP reboot more than usual, would anyone even notice?

Maybe this was the first worm to be written by someone who wasn't using it as a spambot? Maybe some of these exploits are being used by "intelligence" agencies rather than by scammers. How can anyone know that their computer is trustworthy, if exploits need to DDOS a website before people notice them?