[ISN] System vulnerabilities being sold in on-line auctions

From: InfoSec News (alerts@private)
Date: Sun Jul 16 2006 - 23:15:19 PDT


ITWorld Canada

On-line scammers turned entrepreneurs have found a new commodity to 
auction off: system and software vulnerabilities.

Here's how it works: Tech savvy cyber crooks identify bugs or 
vulnerabilities in software applications. Then instead sharing these 
findings with the vendor so a patch can be developed they auction it off 
on-line to buyers, many of whom are willing to pay top dollar for this 

"The name of the game is money," says a study on malware distribution 
evolution released recently by Finjan Inc., a Web security product 
development firm based in San Jose, Calif. The study was conducted by a 
Finjan facility called the Malicious Code Research Centre (MCRC).

Below are three samples of postings lifted by Finjan from 'Full 
Disclosure', an un-moderated mailing list for discussions on security 
issues and a forum where software vulnerabilities are detailed and openly 

* "I just found a second bug that allows one to remotely retrieve the 
  contents of other tabs in IE [Internet Explorer Version] 7. Again for 
  sale. Higgest Bidder."

* "So I just found another vulnerability. This time working on the latest 
  patched up [Internet Explorer] version 6.0. It allows for my code to be 
  run... Let the bidding begin."

* "Due to the success of my IE [vulnerability] sale I have decided to sell 
  a Windows Vista exploit I discovered. This one work remote (sic) and 
  will run code."

Cyber crooks are not hesitant to make such open declarations of illicit 
intent because of the anonymity offered by the Internet. Some have had the 
gall to try and peddle their information on popular on-line auction sites 
such as eBay. Last December eBay pulled an ad that was selling 
vulnerability information about Microsoft's spreadsheet program Excel.

"That was a bold, if foolhardy, move on the part of the seller, because 
eBay is hardly blackmarket at all," said Ross Armstrong, senior analyst at 
technology consultancy firm Info-Tech Research Ltd. in London, Ont.

But vulnerability information is also sometimes purchased by legitimate 
companies. For instance, TippingPoint Technologies Inc. of Houston, Texas, 
and iDefense Inc. of Dulles, VA. have both sometimes bought vulnerability 
data so as to assist other firms in deterring virus attacks.

Last year TippingPoint said it would pay as much as $2,000 (U.S.) for a 
verified vulnerability.

"We are for responsible disclosure of vulnerabilities," said David Endler, 
director of security research for TippingPoint.

The company deals with "security researchers" who contact TippingPoint 
with whatever vulnerability they discover. TippingPoint validates the 
vulnerability, tests it out and classifies it according to potential 
severity. It then helps its clients develop means of mitigating the 
vulnerability. The firm also informs the software vendor about the 
vulnerability in their product, but does not go public until the vendor 
develops a patch.

While TippingPoint waits for the vendor to come up with their patches 
other firms disclose to the public any vulnerability they encounter.

Open disclosure according to analysts may a double-edged sword. The 
disclosure could alert malicious hackers about a system's flaws, but it 
could be the only reliable way to ensure software makers come up with the 

For those who choose to auction off their findings, "vulnerability" market 
is also ruled by the laws of supply and demand, and indications are right 
now demand is pretty hot. "As the price tag for new vulnerabilities 
continues to increase, so does the temptation to sell [them] on the 
black-market, rather than disclose the information to responsible vendors 
that can develop patches," the Finjan study says.

Web security experts say information on how to break into a system can be 
used to launch spam and phishing attacks or create websites with malicious 
code that covertly take control of a person's computer.

"The market is driven by crime," according to Bruce Schneier, security 
technologist and founder of Counterpane Internet Security Inc. of Mountain 
View, Calif. He said organizations involved in identity theft "would only 
be [too] glad to pay upwards of US$1,000 for information that can help 
them single out at systems vulnerability and exploit it for financial 

The information can also be used to create so called "bot-nets" or 
networks of personal computers controlled remotely by a malicious hacker, 
according to Info-Tech's Armstrong,

"When you have a bot-net of 10,000 to 20,000 hijacked computers, that's a 
lot of computing power to use for denial of service attacks, to launch 
spam, or host websites that steal visitors' confidential information," 
said Armstrong.

The Finjan study said back in the 1990s, distribution of viruses was 
carried out by "script kiddies" in search of fame and recognition among 
their peers. Later phishing scammers used spoofed e-mail messages to fool 
people into revealing credit card numbers, passwords and other personal 

Today spam has evolved from a mere annoyance to a channel for propagating 
malicious code.

Late this June customers of the National Australian Bank (NAB) were 
targeted by a spam message claiming the bank had gone bankrupt, and 
directing readers to another website to read the full story.

The second website actually installed a Trojan virus on the machine of 
people who visited the site. The code immediately searched for unpatched 
vulnerabilities on user machines and exploited them to gain control of the 

There is the odd time when vulnerabilities are created perhaps 
inadvertently by a legit company.

For instance, late last year SonyBMG placed copy protection software on 
one of its CDs that used a sophisticated cloaking technique involving use 
of a rootkit. A rootkit is often used by virus writers to hide traces of 
their work on a computer, and can be used by a malicious hacker to gain 
control over a computer.

As part of a court-ordered settlement, SonyBMG was recently directed to 
compensate consumers who purchased Sony audio CDs that installed a rootkit 
when they were played on a PC. The compensation amounts to US$7.50 and a 
free album download from Sony's catalogue for each CD purchased.

"What is common to all these threats is that they are driven by active 
content (such as Java Script, VB Script, ActiveX, or Java Applets)  those 
same technologies that enable users to browse websites and run common 
business applications," the study said.

Yuval Ben-Itzhak, chief technology officer of Finjan said a great deal of 
malicious code is able to bypass traditional anti-virus and anti-spam 
software in the market today because these products are signature-based.

"These software products search for virus signatures. But if a virus is 
new or unknown, the software will not be able to recognize it."

Ben-Itzhak said Finjan software blocks malicious code based on its 
behaviour. The moment the NG 51000 detects questionable behaviour on the 
part of a visited site it blocks that site.

"If a site begins installing executable codes on a computer, tries to 
access disks or read files, monitor keystrokes, access and modify registry 
or try to control the computer, it's out," Ben-Itzhak said.

"Open disclosure may be imperfect, but it's the only way to guarantee that 
things will get fixed," said Schneier. "Unless vulnerability is made 
public, some software makers won't work on the patches."

Armstrong said legitimate firms who buy vulnerability information to 
develop filters or alert its clients are beneficial.

"It is a good, pro-active approach and it helps vendors save on research 
dollars," he said.

Aside from the anonymity provided by the Internet, the lack of a coherent 
and legislation covering the matter prevents authorities from keeping the 
lid on vulnerability auctions. "This is one giant grey zone," according to 

"While it may be against the law to propagate viruses, or steal private 
information, it is not illegal to publish or sell vulnerability 
information," he said.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Sun Jul 16 2006 - 23:21:27 PDT