Russian hacker groups sold .wmf exploits
Posted on 3 Feb 2006 at 12:15
Moscow-based Kaspersky Labs claims exploits for the .wmf vulnerability that emerged over the Christmas period were being sold on the virus underground by Russian hacker groups for $4,000.
Kaspersky claims in its Malware Evolution report for the last quarter of 2005 that 'it seems that two or three competing hacker groups from Russia were selling this exploit for $4,000. Interestingly, the groups don't seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public.'
It claims that the flaw which was only patched by Microsoft in early January was probably first discovered at the start of December, and by a virus writer rather than a security researcher.
If true, this challenges the disclosure argument. Those that made the information on the flaw and exploit code public were slammed by Microsoft and the security community at the time. But if that information had been kept strictly within hacking circles, Microsoft may not have even heard of the problem while its customers were being infected with viruses.
And there's nothing to indicate that Microsoft would have noticed. The flawed .wmf technology was introduced into Windows 3.0 in early 1990.
Indeed, the report says that information on the flaw was not passed on to security companies such as eEye Digital or iDefence and that they in turn were not aware of it as the exploit was being developed specifically for the Russian market.
'The hacker groups didn't understand exactly how the vulnerability functions, and ... the exploit was created in order to be sold on to cyber criminals,' it reads.
But the cyber criminals were quick off the mark. After the middle of December, when the exploit could be bought on the virus underground, trojan viruses and later email worms were on the loose taking advantage of the hole, which had still to be patched. Recently chip builder AMD's support forums were infected, launching a .wmf-based attack at visitors.
Such was the concern of the security community that many gave the unorthodox advice for users to install a patch made available by Windows expert Ilfak Guilfanov, rather than wait for Microsoft to fix it. Microsoft patched the vulnerability 6 January.
Author: Matt Whipp
advertisement
- Microsoft shows courage at Tech-Ed 09
- PowerPoint and Silverlight: a perfect match?
- Why all the fuss over Windows Explorer?
- Your iPhone has a virus? Well it's your fault
- Motorola pays Lucas for its Droid
- Where are the killer apps for Windows?
- Will you hit the Orange iPhone "unlimited" cap?
- USB 3 first benchmark - it's here, and it's fast
- Why Windows 7 has forced me to worry about security
- How Dixons is (under)selling Windows 7
- The bulletproof Dell that costs an arm and a leg
- Microsoft Office 2010 Technical Preview: Q&A
- Lawnmowers, the TyTN II and one odd insurance request
- There'll never be a bulletproof OS
- How far can we trust apps?
- Five nice touches in Outlook 2010
- Building a better Google
- Beware HP's horrendous printer-driver glitch
- Microsoft debuts free Morro antivirus package
- Getting started with Search Server 2008 Express
advertisement

Printed from www.pcpro.co.uk
