WMF Exploit Sold Underground for $4,000 166
tero1176 writes "Eweek has a story with information from Kaspersky showing that exploit code used in the WMF malware attack was being peddled on underground sites by rival Russian hacker groups for $4,000 in early December. The first sign of an exploit was traced back to the December 1, 2005, a full month before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code. It serves as more proof that the market for malware is well and truly alive."
Bad Deal (Score:4, Interesting)
Windows Only? (Score:5, Interesting)
So you think Mac and Linux are as unlikely to be unaffected by such?
While it might be hard to purposely code exploits into Windows and Mac, if you were an insider plotting to take advantage of it some day and don't mind losing your job over it. Isn't it more possible to pull a fast one on Open Source, assuming you covered your tracks well enough the few would find it on first glance.
I remember a mud client, early version of Tintin, IIRC, which would make all players shout "Snowy rules, OK" if a client saw some particular text. Not necessarily as bad as it could have been, someone could code the client to [remove all, drop all, flee] on a command if they had wanted. People only became aware of the stunt after the coder logged onto a mud and said "yo"
And who is surprised (Score:5, Interesting)
Organized crime has found the internet, and they seem to like what they see. It's just like one huge, dark alley lined with endless smoke-filled lounges. Lots of seamy places to meet up. Anonimity if you want it. Under-the-table dealings. Faceless bosses and eager young turks with itchy trigger fingers.
The perfect growth media for scum and parasites.
The War Against Spam (Score:5, Interesting)
It used to be that spammers would look for open relay servers in third-world countries, and let those servers do all the work of actually sending the messages. The server administrators either didn't care, or didn't know how to fix the problem, and the language barrier made things difficult. So, people started making blacklists of known open relays, and just refusing any mail that came from those IPs. Spammers would keep finding more open relays, and the blacklists grew.
Eventually, mail servers started coming pre-configured not to allow relaying, and as servers were upgraded, spammers had to move on. Spammers started commissioning worms, paying people to write software that would infect Windows machines remotely over the Internet, and open up a backdoor for the spammers to access. Suddenly you've got hundreds of thousands of IP addresses responsible for sending spam, with many of them on dynamic IPs. There's no good way to blacklist them all, since they keep changing!
Enter Windows XP Service Pack 2, with a software firewall enabled by default. As people upgrade, worms like Code Red and Nimda are no longer effective. So what's next? Spreading viruses through e-mail, IM, and the Web.
So, look for improvements in antivirus software in the next couple of years, as the war against spam continues. Then look for the spammers to find a new way to get their crap into your inbox.
Re:Windows Only? (Score:4, Interesting)
Fortunately, the backdoor was caught via exactly the kind of peer review that open source allows.
see http://kerneltrap.org/node/1584 [kerneltrap.org]
with open source, it's easier to get trojaned code in, but harder for it to stay there. on the reverse, who knows what could be lurking in MS code? I quote:
"A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed."
(http://www.eweek.com/article2/0,3959,5264,00.asp [eweek.com]
A "Do we report it" Story (Score:5, Interesting)
This article is pretty meaningless as far as the bigger picture goes, and it probably could have gone unpublished in my mind and no one would have really cared. But it may do more damage than good by being published.
This article shows, and maybe it's because I work with criminals all day (Public Defenders office), that writing malware pays. Before it was for notoriety or to prove you could or to piss people off, but now it can provide an income source and I think we will be seeing more of it from now on just because people are going to be trying to make a buck off of it.
We live in a socitey where a Million-Dolllar-Homepage gets filled (it recently did), where the Gotti family has its own TV show and where Carrot top is a rich man. Our lust for money leads us down the less then friendly paths, and this article reports, once again... that crime does infact pay.
Re:Maybe they should get involved... (Score:3, Interesting)
Re:Maybe they should get involved... (Score:2, Interesting)
Remember the Sony Rootkit fiasco? How many thousands of computers did that compromise and for how many months before they found out about it? And then how many of the AV vendors jumped at the chance to list an item from a major record label as 'malware'?
Then consider how slow the AV companies were to detect spyware. "Oh, it's installed at the user's choice, we shouldn't be detecting or removing it." Yeah, thanks a lot you braindead idiots, it's not like the same spyware might use security exploits as an install vector, same as certain worms and viruses.
Can you tell that I have a small amount of contempt for these 'experts'? They've even managed to convince the users that their products are a neccessity, instead of a too-little-too-late bandaid measure.
2 weeks != a full month (Score:2, Interesting)
From summary: "The first sign of an exploit was traced back to the December 1, 2005, a full month before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code."
From article: "The first sign of an exploit was traced back to the middle of December 2005, a full two weeks before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code..."
Oh... actually, to be fair, the article does carry on to say: "...it was most likely that the vulnerability was detected by an unnamed person around Dec. 1, 2005. However, it took a few days for the exploit enabling random code to be executed on the victim machine to be developed and put on the market."
meh. nm.Actually... (Score:3, Interesting)