Virus hunters combing through the wreckage of the zero-day WMF (Windows Metafile) attacks have found evidence that exploit code was being peddled by Russian hacker groups for $4,000 a pop.
The first sign of an exploit was traced back to the middle of December 2005, a full two weeks before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code, says Alexander Gostev, a senior virus analyst at Kaspersky Lab.
"One very important aspect of this case is that the vulnerability was first identified by members of the computer underground," Gostev said.
"Around the middle of December, this exploit could be bought from a number of specialized sites. [Two or three] hacker groups from Russia were selling this exploit for $4,000," he added, confirming a widely held suspicion that a lucrative market exists for code that can exploit unpatched Windows vulnerabilities.
According to Gostev, the rival hacker gangs did not seem to fully understand the exact nature of the vulnerability.
It wasnt until a cyber-criminal purchased the code and found a way to incorporate it into adware, spyware and Trojan attacks that the severity of the vulnerability became public.
In a research note that discusses the evolution of malware over the last three months, Gostev said it was most likely that the vulnerability was detected by an unnamed person around Dec. 1, 2005.
However, it took a few days for the exploit enabling random code to be executed on the victim machine to be developed and put on the market.
"We dont know who was the first to discover the vulnerability; we only know who was involved in creating and distributing the exploit and subsequent modifications.
The data we have, plus the Russian involvement, make it clear that information about the vulnerability was not passed to companies such as eEye or iDefense, which specialize in identifying vulnerabilities," Gostev said.
He said the hacker groups clearly didnt understand exactly how the vulnerability functions and was more intent on selling it to cyber-criminals in Russia for quick profit.
"[R]esearch bodies did not have information about the fact that the exploit was being sold, due to the fact that it was created for the Russian market," he added.
Jim Melnick, director of threat operations at Reston, Va.-based vulnerability research firm iDefense, said his teams research confirms some of Gostevs findings.
"We did see some early activity coming out of the Russian sites. There was a pump-and-dump stock scheme going on at the time and a Russian hacker who we think has some connection to this mentioned that the WMF flaw was already being exploited quietly," Melnick said in an interview with eWEEK.
"Its likely it was being used in very small, targeted attacks before even the anti-virus vendors got wind of it," he added.
By Dec. 27, a three-sentence warning on the Bugtraq mailing list provided the first evidence that Web sites were hosting malicious WMF images that were evading anti-virus scanners:
"Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus," said the note, which was posted by "firstname.lastname@example.org."
It included a URL with a site hosting the exploit and warned that the exploit is executed once the site is launched by a browser.
By Dec. 29 through the first week of January 2005, more than a thousand malicious WMF images were detected, prompting the release of unofficial patches and, eventually, an emergency update outside of the monthly patching cycle.
According to iDefenses Melnick, the WMF issue underscores the rebirth of underground hacker sites offering malware for sale.
"The $4,000 price seems a bit high, but theres no doubt that these things are back out in the open," he said.
Last October, the U.S. Secret Service announced arrests in "Operation Firewall," which targeted sites like Shadowcrew.com, Carderplanet.com and key members of the online carding community.
The three groups ran Web sites that exchanged new techniques and methods to commit online fraud and hijacked sensitive personal information.
After the "Operation Firewall" crackdown, Melnick said the brazen activity subsided.
"A lot of the English-language sites were knocked out after those arrests. It had been quiet for several months, but were noticing that the Russian sites are back. The WMF issue confirms they are back."
"It wont surprise me at all if we have another WMF incident a few months from now. There are dozens of these sites with hackers offering zero-day code for sale all the time. They even have a mechanism to test the code to make sure it is legitimate and will get past anti-virus software," Melnick added.