Russian hacker groups sold .wmf exploits

By Matt Whipp

Posted on 3 Feb 2006 at 12:15

Moscow-based Kaspersky Labs claims exploits for the .wmf vulnerability that emerged over the Christmas period were being sold on the virus underground by Russian hacker groups for $4,000.

Kaspersky claims in its Malware Evolution report for the last quarter of 2005 that 'it seems that two or three competing hacker groups from Russia were selling this exploit for $4,000. Interestingly, the groups don't seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public.'

It claims that the flaw which was only patched by Microsoft in early January was probably first discovered at the start of December, and by a virus writer rather than a security researcher.

If true, this challenges the disclosure argument. Those that made the information on the flaw and exploit code public were slammed by Microsoft and the security community at the time. But if that information had been kept strictly within hacking circles, Microsoft may not have even heard of the problem while its customers were being infected with viruses.

And there's nothing to indicate that Microsoft would have noticed. The flawed .wmf technology was introduced into Windows 3.0 in early 1990.

Indeed, the report says that information on the flaw was not passed on to security companies such as eEye Digital or iDefence and that they in turn were not aware of it as the exploit was being developed specifically for the Russian market.

'The hacker groups didn't understand exactly how the vulnerability functions, and ... the exploit was created in order to be sold on to cyber criminals,' it reads.

But the cyber criminals were quick off the mark. After the middle of December, when the exploit could be bought on the virus underground, trojan viruses and later email worms were on the loose taking advantage of the hole, which had still to be patched. Recently chip builder AMD's support forums were infected, launching a .wmf-based attack at visitors.

Such was the concern of the security community that many gave the unorthodox advice for users to install a patch made available by Windows expert Ilfak Guilfanov, rather than wait for Microsoft to fix it. Microsoft patched the vulnerability 6 January.