Security Firm Finds Zero-Day Flaw by Turning Users Into Honeypots

Kaspersky turned details of a Silverlight flaw into detection rules. When an attacker exploited the vulnerability, it had enough information to pinpoint the flaw.

security worries

When emails leaked from surveillance tools vendor Hacking Team hinted at a critical vulnerability in Microsoft's Silverlight multimedia player, researchers at security firm Kaspersky Lab wondered if they would be able to find a way to catch an attacker exploiting the flaw.

Turns out they could.

On Jan. 12, Microsoft patched a critical vulnerability in its Silverlight player that Kaspersky was able to pinpoint after it caught an attacker using an exploit. The attack code is thought to be the same exploit that a 30-something Russian bug finder, Vitaliy Toropov, attempted to sell to Hacking Team, as revealed by leaked emails.

"He had sold multiple vulnerabilities to Hacking Team in the past," Brian Bartholomew, a senior security researcher at Kaspersky Lab, told eWEEK. "We thought it likely that if Hacking Team didn't buy it, he may have sold it to someone else."

The fact that Kaspersky could detect the attack is impressive, since the company knew very little about the exploit. By taking two pieces of information—the name of the exploit developer and his focus on a Silverlight vulnerability—Kaspersky researchers found an older Silverlight exploit created by the same developer, reverse-engineered the older attack and used unique strings in the code to developed rules that would likely match a future attack.

"After implementing the detection, we waited, hoping that an APT [advanced persistent threat] group would use it," the Kaspersky researchers stated in an online writeup of their experiment. "Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don't use it?"

To detect the attack, Kaspersky uploaded its pattern rule to the antivirus software used by millions of customers, essentially turning its user base into a giant neighborhood watch program. When an attack happened, the software blocked the exploit and delivered details of the attack to Kaspersky.

"The software protects them from the attack, but at the same time, there is some valuable intelligence and information on the attack itself, so we do pull back very limited metadata from the attacks," Bartholomew said.

Security firm Qualys had rated the Silverlight vulnerability as a less-interesting part of Microsoft's regular Patch Tuesday update, but following Kaspersky's report on the bug and evidence that the attack is being used in the wild, the company raised its rating of the vulnerability.

The big question for Kaspersky is whether Toropov wrote and sold the exploit.

"Several things make us think it's one of his exploits, such as the custom error strings," the company's researchers stated in their online analysis. "Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though—the world is a bit safer with the discovery and patching of this one."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...