Windows Vulnerabilities for Sale
When the WMF zero-day exploit emerged for a previously unknown Windows flaw, it prompted a lot of concern. After all, the lack of advance warning meant that PC owners were unable to harden their PCs against the attack. That concern took on a new tenor when researchers at Kaspersky Lab discovered that hackers had been selling the exploit on the black market for as much as $4,000.
For Shane Coursen, senior technology consultant for Kaspersky, the discovery is part of a larger trend. "We really started seeing [this activity] ramp up early last year. To somebody in our field, it comes as no surprise whatsoever."
According to Kasperky, hackers in Russia started working in early December to develop an exploit against a flaw in the graphics handling engine of Windows. Within a week or so, the group crafted WMF files that would allow code to execute on Windows PCs. The exploit turned up for sale from at least two different groups around the middle of December.
Security firm F-Secure reported the existence of the WMF exploit on Dec. 27. Microsoft produced a patch for the flaw on Jan. 5, a few days ahead of the scheduled Patch Tuesday release.
The timeline underscores an undeniable trend in malware activity. "What these guys are doing is writing these little programs to be used for little more than Internet crime and financial gain," Coursen says.
Spyware and adware companies tap the secretive market for black-market malware to spread their wares, Coursen says. The WMF exploit, for instance, was used to install a variety of spyware packages, including one that posed as anti-virus software. The demand makes for a thriving black market in code exploits.
"These adware companies are hiring professional programmers to write programs that are able to bypass security measures, and they are paying pretty top dollar for their skills," says Coursen, who calls the $4,000 price tag for the WMF exploit "a steal."
Microsoft is striving to combat the issue with initiatives like Trustworthy Computing and the Secure Development Lifecycle (SDL), which employs rigorous security planning and review in the code design process. The goal is to eliminate flaws such as the one exploited by the WMF malware.
Coursen lauds the Microsoft effort, but he's not getting his expectations up. "I think we can look forward to less exploitable code, but something that is completely unexploitable? No, we'll never see that."
Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.