WMF Exploit Sold Underground for $4,000 166
tero1176 writes "Eweek has a story with information from Kaspersky showing that exploit code used in the WMF malware attack was being peddled on underground sites by rival Russian hacker groups for $4,000 in early December. The first sign of an exploit was traced back to the December 1, 2005, a full month before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code. It serves as more proof that the market for malware is well and truly alive."
Bad Deal (Score:4, Interesting)
Re:Bad Deal (Score:3, Informative)
Huh? It worked just dandy on all the machines I tested on. Well, at least the Metasploit WMF exploit [metasploit.com] mods did.
It's not the sellers fault those pesky white hat hackers discovered it so soon.
Re:Bad Deal (Score:3, Insightful)
Re:Bad Deal (Score:3, Insightful)
"It worked, but it was supposed to be the tool of a major outbreak that never materialized, and is now unlikely to."
True, but it never happened in the same way the Y2K crisis 'didn't happen'. It was prevented by the concerted action of a very large number of people who re-emptively developed and deployed a patch to fill the gap until the vendor-provided one happened along. If it hadn't been for the public dissemination of the risk assessment and analytical data, this could have been a big problem.
That s
Re:Bad Deal (Score:2)
Re:Bad Deal (Score:4, Insightful)
And, you've probably bought one before and made more than the $4000 you are about to spend.
Perhaps they got the trade secrets / passwords they were after in a few hours, not the month it took to become Zero Day, lol, now there's a misnomer !
Maybe they should get involved... (Score:5, Funny)
Do you suppose Microsoft will try to enter this market, too?
Re:Maybe they should get involved... (Score:2)
Re:Maybe they should get involved... (Score:1)
We'll [wikimedia.org] call it the Ecch-Box
Re:Maybe they should get involved... (Score:3, Interesting)
Re:Maybe they should get involved... (Score:2)
Re:Maybe they should get involved... (Score:3, Funny)
You are hear by forbidden from ever using statistics or percentages again.
Re:Maybe they should get involved... (Score:4, Funny)
You are the only one here who thinks hereby is spelled "hear by" or throw is spelled "through". *
You are hereby forbidden to use the English language in a pedantic and patronising manner ever again.
* Probably not true
damn (Score:2)
Society back to the stone age? (Score:5, Insightful)
At best millions of people will be bugged and Linux and Apple vendors will have a hell of a time selling their OSes.
Re:Maybe they should get involved... (Score:2)
I wonder if people will still be saying that "Linux isn't ready for the desktop" when all the Linux desktops are still running and the Windows users' files have been deleted by the 8943rd worm this decade...
Re:Maybe they should get involved... (Score:2, Interesting)
Remember the Sony Rootkit fiasco? How many thousands of computers did that compromise and for how many months before they found out about it? And then how many of the AV vendors jumped at the chance to list an item from a major record label as 'malware'?
Then consider how slow the AV comp
Re:Maybe they should get involved... (Score:1)
Actually... (Score:3, Interesting)
Re:Actually... (Score:5, Informative)
Re:Actually... (Score:3, Informative)
http://web.archive.org/web/20000302035403/http://
Re:Maybe they should get involved... (Score:2)
Re:Maybe they should get involved... (Score:2)
Re:Maybe they should get involved... (Score:2)
ftp://ftp.f-secure.com/anti-virus/tools/f-force.z
What, you expected... (Score:4, Funny)
Joke, don't waste your mod points here.
Re:What, you expected... (Score:2)
Googd luck trying to sue the bastards who modify but don't give back to the community.
Access to this market (Score:5, Funny)
Re:Access to this market (Score:3, Funny)
Just wait till you get your next AOL Platinum trial CD in the mail. Then you'll be good.
Russians eh? (Score:4, Funny)
Re:Russians eh? (Score:3, Insightful)
Re:Russians eh? (Score:1)
Re:Russians eh? (Score:3, Insightful)
Re:Russians eh? (Score:2)
Re:Russians eh? (Score:2, Funny)
Re:Russians eh? (Score:1)
f007
In Soviet Russia (Score:2)
Re:Russians eh? (Score:1, Redundant)
Re:Russians eh? (Score:1)
---
and yes
Re:Russians eh? (Score:2)
It's really not that hard of a concept. Something like "In Soviet Russia, car drives you". That works. Or one I invented: "In Soviet Russia, Market sells YOU". Just so you know for the future, jokes have to make sense.
I wonder.... (Score:1)
Is it just me or does it seem like there is no money to be made with this "underground" stuff. $20 for Win NT/2000 source $4,000 for this.
Maybe he should sue Apple, I have to believe he bought an iPod with his new found treasure, and we all know it kills ears dead http://it.slashdot.org/comments.pl?sid=175984&cid= 14627254 [slashdot.org]
Re: (Score:2, Funny)
Re:Biggest question (Score:2)
And who is surprised (Score:5, Interesting)
Organized crime has found the internet, and they seem to like what they see. It's just like one huge, dark alley lined with endless smoke-filled lounges. Lots of seamy places to meet up. Anonimity if you want it. Under-the-table dealings. Faceless bosses and eager young turks with itchy trigger fingers.
The perfect growth media for scum and parasites.
Re:And who is surprised (Score:3, Funny)
The perfect growth media for scum and parasites.
You misspelled AT&T a few times in there.
Re:And who is surprised (Score:2, Funny)
Re:And who is surprised (Score:2)
-WS
Re:And who is surprised (Score:2)
I suddenly had a vision of Robert DeNiro in "Analyze This!", saying "Get with the times? What do you want to do, start a fuckin' web page?"
Re:And who is surprised (Score:1)
Re:And who is surprised (Score:2, Insightful)
really, you don't say? (Score:2)
No kidding, they've got a whole aisle over at Fry's for this stuff. No, not the anti-viral stuff. Look over in the office productivity and word processing section. They even bundle it together sometimes!
Security Through Obscurity, anyone? (Score:2)
Re:Security Through Obscurity, anyone? (Score:1)
I'm fairly confident that Microsoft would not be able to keep up with the wave of bugs discovered once/if they do release their source. They have a hard time keeping up as it is.
Not that kind of full disclosure. (Score:2)
Re:Security Through Obscurity, anyone? (Score:2)
Or they'll throw up their hands, and use BSD with their own GUI.
Re:Security Through Obscurity, anyone? (Score:2)
Either a white hat discovers a vulnerability when it's already known by some black hats or the vulnerabity isn't known by any blackhats yet.
In the first case, full disclosure means that everyone will know it, which will allow all the black hats to exploit the public with it before the company has a chance to fix it and deploy (or at least try) the fix. Those are the disadvantages - the only advantage I see is that no black hats will be able to make money selling the vulnera
Re:Security Through Obscurity, anyone? (Score:2)
also, with full disclosure companies won't be able to ignore it to begin with.
Re:Security Through Obscurity, anyone? (Score:3, Insightful)
BZZZZT! WRONG!
The only people going to be exploited in this case are the people who CONTINUE TO USE THE SERVICE DESPITE PUBLIC KNOWLEDGE THAT IT IS INSECURE.
Imagine there's a server out there with all your financial infomation on it. If someone gets access to it you'll be ruined. Do you reall
Re:Security Through Obscurity, anyone? (Score:2)
Re:Security Through Obscurity, anyone? (Score:2)
I would suggest that everyone uses a multi-tiered approach to security, and if this fails, shut down that part of the system until a fix is availible. In the case where you're using a poorly designed system that would not allow you shut that portion down, you'll have to weigh the risk of being owned vs the convenience of staying operational.
People who really care about staying up already have redundant hard
Re:Security Through Obscurity, anyone? (Score:2)
The hacking world. (Score:2)
The War Against Spam (Score:5, Interesting)
It used to be that spammers would look for open relay servers in third-world countries, and let those servers do all the work of actually sending the messages. The server administrators either didn't care, or didn't know how to fix the problem, and the language barrier made things difficult. So, people started making blacklists of known open relays, and just refusing any mail that came from those IPs. Spammers would keep finding more open relays, and the blacklists grew.
Eventually, mail servers started coming pre-configured not to allow relaying, and as servers were upgraded, spammers had to move on. Spammers started commissioning worms, paying people to write software that would infect Windows machines remotely over the Internet, and open up a backdoor for the spammers to access. Suddenly you've got hundreds of thousands of IP addresses responsible for sending spam, with many of them on dynamic IPs. There's no good way to blacklist them all, since they keep changing!
Enter Windows XP Service Pack 2, with a software firewall enabled by default. As people upgrade, worms like Code Red and Nimda are no longer effective. So what's next? Spreading viruses through e-mail, IM, and the Web.
So, look for improvements in antivirus software in the next couple of years, as the war against spam continues. Then look for the spammers to find a new way to get their crap into your inbox.
Re:The War Against Spam (Score:5, Insightful)
You left out something important: Outlook express would execute code by default, so email was kind of the de facto vector for virus propagation until they started closing down OE [somewhat] and that's when worms really took off.
Before that, it was mostly viruses attached to programs. You'd attach a new virus to some really desirable warez and upload the stuff to a BBS. The BBS owner would run the software and the virus would attach itself to lots of other software, any time they repacked it for their chosen archive format...
Re:The War Against Spam (Score:2)
That was a different kind of virus, not sponsored by spammers. Back then, it really WAS created by kids with something to prove, and there was no money in it.
You're right about Outlook Express (although I thin
Re:The War Against Spam (Score:2)
Depends on the version, Pre 2000 Outlook, ya probably, but in 2000 Microsoft started locking attachments and in page HTML abilities from the users by default, even if the user assumed them to be safe. For example, a
Re:The War Against Spam (Score:1)
I think you mean each time they inserted an advertisement for their BBS into every archive that passed through. It wasn't uncommon to download zips with ads for several different boards.
Re:The War Against Spam (Score:2)
DRM needed (Score:5, Funny)
A "Do we report it" Story (Score:5, Interesting)
This article is pretty meaningless as far as the bigger picture goes, and it probably could have gone unpublished in my mind and no one would have really cared. But it may do more damage than good by being published.
This article shows, and maybe it's because I work with criminals all day (Public Defenders office), that writing malware pays. Before it was for notoriety or to prove you could or to piss people off, but now it can provide an income source and I think we will be seeing more of it from now on just because people are going to be trying to make a buck off of it.
We live in a socitey where a Million-Dolllar-Homepage gets filled (it recently did), where the Gotti family has its own TV show and where Carrot top is a rich man. Our lust for money leads us down the less then friendly paths, and this article reports, once again... that crime does infact pay.
Re:A "Do we report it" Story (Score:2)
Re:A "Do we report it" Story (Score:2)
My govt. is the ashes of the 1066 invasion of England by France, definitely a crime. Our Royal Family are some of the world's richest people. They didn't amass that fortune through hard work, sweat and toil. Their ancestors killed people for it. Plain and simple.
Crime pays, it even pays you!
Hmm.. (Score:3, Funny)
More expensive with Vista (Score:3, Funny)
2 weeks != a full month (Score:2, Interesting)
From summary: "The first sign of an exploit was traced back to the December 1, 2005, a full month before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code."
From article: "The first sign of an exploit was traced back to the middle of December 2005, a full two weeks before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code..."
Oh... actually, to be fair, the article does carry on to say: "...it was most likely that t
D;oh (Score:1)
Of course, WMDs would read 'WMDs exploit sold by administration for $Several hundred billion '
Re:D;oh (Score:2)
--
"Me fail English? That's unpossible." - Ralph
Are you sure that isn't a direct quote from your president?
Zzzzzz +
Amusing advert (Score:4, Insightful)
To the Microsoft Marketing folks: I'd trade you a fact for a clue but since you have neither facts nor clues I guess we won't be doing business any time soon.
Cheers.
They didn't know how much it was worth (Score:3, Insightful)
Otherwise it should have gone for much more than $4,000, even in a black market. Imagine an exploit where you can gain access to any Windows computer on Earth for the last several builds of Windows?
This is why we should set up companies to act as middleman and legitimately buy exploits. They would pay more and we would be able to get things patched quicker.
unknown name? (Score:5, Funny)
Ok, what are the chances that this person really has no name?!
I'm going to have to call shenanigans on this whole article.
They charged money for it? (Score:2)
Re: (Score:2)
Great seller! (Score:4, Funny)
Windows Only? (Score:5, Interesting)
So you think Mac and Linux are as unlikely to be unaffected by such?
While it might be hard to purposely code exploits into Windows and Mac, if you were an insider plotting to take advantage of it some day and don't mind losing your job over it. Isn't it more possible to pull a fast one on Open Source, assuming you covered your tracks well enough the few would find it on first glance.
I remember a mud client, early version of Tintin, IIRC, which would make all players shout "Snowy rules, OK" if a client saw some particular text. Not necessarily as bad as it could have been, someone could code the client to [remove all, drop all, flee] on a command if they had wanted. People only became aware of the stunt after the coder logged onto a mud and said "yo"
Re:Windows Only? (Score:1, Flamebait)
Re:Windows Only? (Score:4, Interesting)
Fortunately, the backdoor was caught via exactly the kind of peer review that open source allows.
see http://kerneltrap.org/node/1584 [kerneltrap.org]
with open source, it's easier to get trojaned code in, but harder for it to stay there. on the reverse, who knows what could be lurking in MS code? I quote:
"A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed."
(http://www.eweek.com/article2/0,3959,5264,00.asp [eweek.com]
Re:Windows Only? (Score:2)
Did he say "we would dearly love to release our Source Code, but we can't because
MS are convicted criminals. In legal speak you can't say "they are of good character" ergo, anything they tell you must be taken as a potential lie.
That Windows Source has undisclosed bugs and exploits is not news so they can use that information to their advantage, not anyone elses.
Re:Windows Only? (Score:2)
If disclosing it would damage national security... (Score:2)
Re:Windows Only? (Score:2)
Well, OS X at least, because any kind of system changes that are often required by these trojans to hook themselves into the system gives either a password prompt or just doesn't work at all. Root isn't even enabled on default installs of OS X. There's no registry to bury arcane system-hook entries in either.
I'd imagine in Linux such system attacks just don't work since they have no way to hook in and propagate, but it's been about a coup
Re:Windows Only? (Score:2)
Re:Windows Only? (Score:2)
Re:Windows Only? (Score:2)
That's the interview linked on Wikipedia. Band members have made similar statements. Ripping artists off is just making sure they don't get paid for their art.
Re:Windows Only? (Score:4, Funny)
Not unlike Slashdot where certain text will cause all readers to post "All your base", "Soviet Russia", "..only old people", "3. Profit!" comments.
Re:Windows Only? (Score:2)
What, and let them know it existed? That is crazy talk. They might patch it and we won't be able to check out their documents and porn collections anymore.
In all honesty, just imagine how much of this could exist on any platform. It only see
Re:Ah, Windows (Score:2)
Umm... how about these file format bugs, which could be exploited just by opening/viewing files on Linux or OSX?
PNG [mitre.org] ZIP [mitre.org] GIF [mitre.org]
File parsing vulnerabilites are certainly as prevalent on Linux and OSX as Windows. It seems that most worm writers don't bother attacking these, though, as Linux and OSX combined make up a very small percentage of client workstations.
Re:Ah, Windows (Score:2)
How, exactly, would you know they're not being exploited? You Mac guys have no AV software, right? And I'll bet you allow all outbound connections from your machine to the internet. Do you have an IDS to warn you of malicious traffic?
An attack doesn't have to be a worm. And it doesn't necessarily have to make itself easily visible by spewing megabits per second of traffic or slowing your machine appreciably.
Re:Run for your lives! (Score:2)
A web browser, for example, only needs to parse the WMF file prior to display to trigger the exploit. If your mail client happens to have a "preview" pane simply clicking the email could also trigger the exploit.
This was a tad more severe then the usual types of email worms.
I tried it myself... (Score:2, Informative)
Re:Oops... (Score:2)
Re:What the hell can u do with a WMF exploit?? (Score:2)