Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Development

    Researcher: WMF Exploit Sold Underground for $4,000

    Written by

    Ryan Naraine
    Published February 2, 2006
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Virus hunters combing through the wreckage of the zero-day WMF (Windows Metafile) attacks have found evidence that exploit code was being peddled by Russian hacker groups for $4,000 a pop.

      The first sign of an exploit was traced back to the middle of December 2005, a full two weeks before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code, says Alexander Gostev, a senior virus analyst at Kaspersky Lab.

      “One very important aspect of this case is that the vulnerability was first identified by members of the computer underground,” Gostev said.

      “Around the middle of December, this exploit could be bought from a number of specialized sites. [Two or three] hacker groups from Russia were selling this exploit for $4,000,” he added, confirming a widely held suspicion that a lucrative market exists for code that can exploit unpatched Windows vulnerabilities.

      According to Gostev, the rival hacker gangs did not seem to fully understand the exact nature of the vulnerability.

      It wasnt until a cyber-criminal purchased the code and found a way to incorporate it into adware, spyware and Trojan attacks that the severity of the vulnerability became public.

      In a research note that discusses the evolution of malware over the last three months, Gostev said it was most likely that the vulnerability was detected by an unnamed person around Dec. 1, 2005.

      However, it took a few days for the exploit enabling random code to be executed on the victim machine to be developed and put on the market.

      “We dont know who was the first to discover the vulnerability; we only know who was involved in creating and distributing the exploit and subsequent modifications.

      The data we have, plus the Russian involvement, make it clear that information about the vulnerability was not passed to companies such as eEye or iDefense, which specialize in identifying vulnerabilities,” Gostev said.

      /zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

      He said the hacker groups clearly didnt understand exactly how the vulnerability functions and was more intent on selling it to cyber-criminals in Russia for quick profit.

      “[R]esearch bodies did not have information about the fact that the exploit was being sold, due to the fact that it was created for the Russian market,” he added.

      Jim Melnick, director of threat operations at Reston, Va.-based vulnerability research firm iDefense, said his teams research confirms some of Gostevs findings.

      “We did see some early activity coming out of the Russian sites. There was a pump-and-dump stock scheme going on at the time and a Russian hacker who we think has some connection to this mentioned that the WMF flaw was already being exploited quietly,” Melnick said in an interview with eWEEK.

      /zimages/2/28571.gifClick here to read more about recent WMF vulnerabilities.

      “Its likely it was being used in very small, targeted attacks before even the anti-virus vendors got wind of it,” he added.

      By Dec. 27, a three-sentence warning on the Bugtraq mailing list provided the first evidence that Web sites were hosting malicious WMF images that were evading anti-virus scanners:

      “Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus,” said the note, which was posted by “[email protected].”

      It included a URL with a site hosting the exploit and warned that the exploit is executed once the site is launched by a browser.

      By Dec. 29 through the first week of January 2005, more than a thousand malicious WMF images were detected, prompting the release of unofficial patches and, eventually, an emergency update outside of the monthly patching cycle.

      According to iDefenses Melnick, the WMF issue underscores the rebirth of underground hacker sites offering malware for sale.

      “The $4,000 price seems a bit high, but theres no doubt that these things are back out in the open,” he said.

      Last October, the U.S. Secret Service announced arrests in “Operation Firewall,” which targeted sites like Shadowcrew.com, Carderplanet.com and key members of the online carding community.

      The three groups ran Web sites that exchanged new techniques and methods to commit online fraud and hijacked sensitive personal information.

      After the “Operation Firewall” crackdown, Melnick said the brazen activity subsided.

      “A lot of the English-language sites were knocked out after those arrests. It had been quiet for several months, but were noticing that the Russian sites are back. The WMF issue confirms they are back.”

      “It wont surprise me at all if we have another WMF incident a few months from now. There are dozens of these sites with hackers offering zero-day code for sale all the time. They even have a mechanism to test the code to make sure it is legitimate and will get past anti-virus software,” Melnick added.

      /zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Ryan Naraine

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×