Slashdot Mirror
WMF Exploit Sold Underground for $4,000
tero1176 writes "Eweek has a story with information from Kaspersky showing that exploit code used in the WMF malware attack was being peddled on underground sites by rival Russian hacker groups for $4,000 in early December. The first sign of an exploit was traced back to the December 1, 2005, a full month before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code. It serves as more proof that the market for malware is well and truly alive."
The exploit is a flop. The guy should get his money back.
Do you suppose Microsoft will try to enter this market, too?
A feeling of having made the same mistake before: Deja Foobar
...open source exploits for a commercial OS?
Joke, don't waste your mod points here.
"Made up/misattributed quote that makes me look smart. I am on
Idiots should've used metasploit. It had it for a long time.
Will my AT&T "platinum," "gold" and "silver" levels of Internet access provide access to this underground market ?
As usual, Mac and Linux users are unaffected and wonder why everyone relies on such unreliable software. And the world turns...
"Sufferin' succotash."
In Soviet Russia, code exploits you!
more proof
You misspelled "evidence".
Better to light a candle than to curse the darkness.
I wonder how much someone from an A/V company paid "Melissa" to leave the guy who wrote the virus/worm ?
= 14627254
Is it just me or does it seem like there is no money to be made with this "underground" stuff. $20 for Win NT/2000 source $4,000 for this.
Maybe he should sue Apple, I have to believe he bought an iPod with his new found treasure, and we all know it kills ears dead http://it.slashdot.org/comments.pl?sid=175984&cid
Success is not the result of spontaneous combustion, you must set yourself on fire.
Comment removed based on user account deletion
So you think Mac and Linux are as unlikely to be unaffected by such?
While it might be hard to purposely code exploits into Windows and Mac, if you were an insider plotting to take advantage of it some day and don't mind losing your job over it. Isn't it more possible to pull a fast one on Open Source, assuming you covered your tracks well enough the few would find it on first glance.
I remember a mud client, early version of Tintin, IIRC, which would make all players shout "Snowy rules, OK" if a client saw some particular text. Not necessarily as bad as it could have been, someone could code the client to [remove all, drop all, flee] on a command if they had wanted. People only became aware of the stunt after the coder logged onto a mud and said "yo"
A feeling of having made the same mistake before: Deja Foobar
There have been shadowy glimpses of this "other economy" for a while, in the bot army cottage industry and the various rackets where popular sites are threatened with black-out if they don't pay for "protection". But all that is just the warmup to the big show.
Organized crime has found the internet, and they seem to like what they see. It's just like one huge, dark alley lined with endless smoke-filled lounges. Lots of seamy places to meet up. Anonimity if you want it. Under-the-table dealings. Faceless bosses and eager young turks with itchy trigger fingers.
The perfect growth media for scum and parasites.
=^..^= all your rodent are belong to us
... open up IE on a fresh Windows XP installation and let 'er rip!
It serves as more proof that the market for malware is well and truly alive.
No kidding, they've got a whole aisle over at Fry's for this stuff. No, not the anti-viral stuff. Look over in the office productivity and word processing section. They even bundle it together sometimes!
God invented whiskey so the Irish would not rule the world.
So, let's hear someone argue against full disclosure now, eh?
Laws do not persuade just because they threaten. --Seneca
And you get your first first offtopic post too... for free!
It just goes to show how much the underground actually retains as far as exploit code is concered. Makes you think what else is circulating which the general public doesnt know about.
This is a huge issue that the general public is completely unaware of. Most people still believe that viruses are created as an annoying prank by kids with something to prove. This may be true in some cases, but most of the malware out there now is created for a very specific purpose: building a botnet that can be sold for cold hard cash to the highest bidder. Who's buying them? Spammers.
It used to be that spammers would look for open relay servers in third-world countries, and let those servers do all the work of actually sending the messages. The server administrators either didn't care, or didn't know how to fix the problem, and the language barrier made things difficult. So, people started making blacklists of known open relays, and just refusing any mail that came from those IPs. Spammers would keep finding more open relays, and the blacklists grew.
Eventually, mail servers started coming pre-configured not to allow relaying, and as servers were upgraded, spammers had to move on. Spammers started commissioning worms, paying people to write software that would infect Windows machines remotely over the Internet, and open up a backdoor for the spammers to access. Suddenly you've got hundreds of thousands of IP addresses responsible for sending spam, with many of them on dynamic IPs. There's no good way to blacklist them all, since they keep changing!
Enter Windows XP Service Pack 2, with a software firewall enabled by default. As people upgrade, worms like Code Red and Nimda are no longer effective. So what's next? Spreading viruses through e-mail, IM, and the Web.
So, look for improvements in antivirus software in the next couple of years, as the war against spam continues. Then look for the spammers to find a new way to get their crap into your inbox.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Ironically, copies of the exploit were pirated by a group of Chinese hackers and sold on Ebay for pennies on the dollar...
This is one of those "Do we, the media, report it?" stories.
This article is pretty meaningless as far as the bigger picture goes, and it probably could have gone unpublished in my mind and no one would have really cared. But it may do more damage than good by being published.
This article shows, and maybe it's because I work with criminals all day (Public Defenders office), that writing malware pays. Before it was for notoriety or to prove you could or to piss people off, but now it can provide an income source and I think we will be seeing more of it from now on just because people are going to be trying to make a buck off of it.
We live in a socitey where a Million-Dolllar-Homepage gets filled (it recently did), where the Gotti family has its own TV show and where Carrot top is a rich man. Our lust for money leads us down the less then friendly paths, and this article reports, once again... that crime does infact pay.
I meant full disclosure as in releasing the details of an exploit as soon as it's found, instead of keeping it covered up until a fix is released.
Laws do not persuade just because they threaten. --Seneca
So is windows exploits are worth $4,000 a pop, and Bill Gates is worth something like $50 billion, that adds up to... 12.5 million windows exploits. That number seems a little low, must be not all of them are worth 4 grand.
It will cost an extra $500 to get set up to sign your malware in order for it to install. Good thinking Microsoft. That extra 12.5% tax will make it totally uneconomical.
The world is made by those who show up for the job.
From summary: "The first sign of an exploit was traced back to the December 1, 2005, a full month before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code."
From article: "The first sign of an exploit was traced back to the middle of December 2005, a full two weeks before anti-virus vendors started noticing mysterious WMF files rigged with malicious executable code..."
Oh... actually, to be fair, the article does carry on to say: "...it was most likely that the vulnerability was detected by an unnamed person around Dec. 1, 2005. However, it took a few days for the exploit enabling random code to be executed on the victim machine to be developed and put on the market."
meh. nm.....dead parrot bakes pie and throws it at YOU!
Weapons of Mass Fraudulence?
I misread that as 'WMDs Exploit sold underground for $4,000'.
Of course, WMDs would read 'WMDs exploit sold by administration for $Several hundred billion '
When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
Pardon me if I am remembering things wrong, but wasn't there a hidden "_NSAKEY" variable or something like that hidden in some WinNTs, that Microsoft never could explain?
How appropriate that a Microsoft "Get the Facts" ad should show up at the top of this particular page -- gotta love that Murphy guy when he works in your favor.
To the Microsoft Marketing folks: I'd trade you a fact for a clue but since you have neither facts nor clues I guess we won't be doing business any time soon.
Cheers.
Everything in the Universe sucks: It's the law!
According to Gostev, the rival hacker gangs did not seem to fully understand the exact nature of the vulnerability.
Otherwise it should have gone for much more than $4,000, even in a black market. Imagine an exploit where you can gain access to any Windows computer on Earth for the last several builds of Windows?
This is why we should set up companies to act as middleman and legitimately buy exploits. They would pay more and we would be able to get things patched quicker.
"[...] the vulnerability was detected by an unnamed person around Dec. 1, 2005."
Ok, what are the chances that this person really has no name?!
I'm going to have to call shenanigans on this whole article.
Wasn't Microsoft pissed about the WMF vulnerability being disclosed to the public before a patch was available? They certainly have whined about other announcements. Well, this completely justifies independent announcement of vulnerabilities. The bad guys already know about them, and are using them. Reporting to the vendor won't help nearly as much as publishing a third party fixes.
Whatever happened to hackers wanting all information to be free?
from our ms friends:
"A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
in other words this is not much different than downloading and opening an email attachment and poof--all your iNteRneT ArE BeLonG t0 Us. As always, the biggest security risk is the user.
"You're everywhere. You're omnivorous."
"The Internet Underground. You will never find a more wretched hive of scum and villainy. We must be cautious."
--Obi_1_Kenobi4836
"Pi is exactly 3!" *gasp*
... hello William Gibson.
---------
No matter how thin you slice it, its still baloney.
I don't know if it was the .wmf exploit, but there was an exploit for sale on eBay during the first week of December, 2005. This was referenced in the Full-Disclosure mailing list, which is archived at seclists.org (among other places). the auction may have been a hoax, but eBay cancelled it anyway.
I think it is unfair that it is first offerd to the people who pay money for it and only later to others. Especialy unfair to Microsoft who would NEVER do such a thing.
Don't fight for your country, if your country does not fight for you.
Exploit works as advertised!!! Speedy email!! Would Buy From AGAIN!! A+++++++++++! :)
Someone should sell the cure to it.
I've seen powerouts but geez. Stone age? People in the Bronze age didnt require MS Windows did they?
At best millions of people will be bugged and Linux and Apple vendors will have a hell of a time selling their OSes.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
How funny. I just saw an ad from M$ "Know The Facts" right under the summary. Kinda' hard to believe the ad. Why is M$ advertizing on /. anyway? Is /. not own by the same company that owns freshmeat? Does this not have anything to do with the benifeit of Linux?
wishing i had mods for you now
"Our interests are to see if we can't scale it up to something more exciting," he said.
it puts the lie to this whole attitude that hackers only develop exploits from the descriptions of vulnerabilities that are published!
Damnit, there are no vulnerabilities that Microsoft publishes that haven't already been exploited in the wild! They don't spend any time looking for vulnerabilities, they only react to vulnerabilities that are already being exploited!
comedy questions you!
"Our interests are to see if we can't scale it up to something more exciting," he said.
no wonder the russian economy sucks... all their programmers are wasting their money on trading windows exploits...
Hax the Office clipart gallery??? Fun, but pointless. Honestly WMF files are a bit of a wierd object to send in emails anyways....
...from the Metasploit framework. That exploint was a champ. 99.9% guaranteed remote trojan installation. In fact, it was enough just to HOVER OVER the file in a directory so that Explorer would try to get its properties - and ooops.
why did Microsoft reveal the source to China? Can we conclude that Microsoft has committed treason? This is the one crime for which the U.S. Constitution explicitly mentions execution. For a corporation, that either means we dissolve it or we execute the executives and board members.
In thinking about this, I don't know how I would word it, but it does not seem proper to use the past tense word "forbidden" with a future tense form of "to use".
Maybe, "We hereby forbid you to use the En....."