[ISN] eEye's Marc Maiffret: Threat 'Motifs' Make Security Confusing

From: InfoSec News (alerts@private)
Date: Thu Jan 25 2007 - 22:29:00 PST


By Scott M. Fulton, III
January 24, 2007

In a recent interview with BetaNews, the chief technology officer of the 
company that discovered history's most expensive worm -- the "Code Red" 
worm that exploited a wide-open buffer overflow vulnerability in 
Microsoft's IIS -- stated he believes when security companies give 
multiple dramatic names to known threats, rather than accept a single, 
common identifier, the result simply confuses users.

The naming of Code Red, eEye Chief Technology Officer Mark Maiffret told 
BetaNews, was originally supposed to be a "one-off," "part of our normal 
course of business." By contrast, among today's anti-virus vendors, 
Maiffret believes there's too much fighting over who gets to christen 
the latest virus, worm, or zero-day exploit for the press.

"The reality is, between F-Secure, McAfee, Sophos, Symantec, all they 
end up doing is making things more confusing for users because they're 
all using different names," Maiffret said. "In the vulnerability world, 
we have CVEs [Common Vulnerabilities and Exposures] as a way to know 
that we're all talking about the same vulnerability regardless of what 
we might have named it in our product. In the anti-virus world, there's 
not really anything like that."

Last week, security firm F-Secure was credited with dubbing the latest 
and greatest e-mail threat the "Storm Worm," though the nature of that 
exploit is, by now, something that IT managers have seen a thousand 
times before, over the last six years. Meanwhile, eEye itself dubbed an 
unpatched exploit of Symantec Antivirus "Big Yellow," dubbing it "a new 
class of malware," months after its initial discovery, and after a CVE 
had already been created for it.

"Some of these people in the antivirus world, the main, big players and 
the sub-level big players like the F-Secures and Sophos, they really 
aren't looking to innovate or do much of anything different, because 
they're all making really good money, they keep getting all their 
renewals, and the way they compete with each other, they're okay with 
doing that, so they're okay with fighting over who's naming it, and 
everybody having different names and stuff. At the end of the day, 
they're doing a lot of that and turning a blind eye to what users are 
actually asking for."

After the threat from Code Red subsided, and the damage assessment ended 
up being less than had been feared, debates ensued over whether the 
publicity surrounding not only the worm but the anatomy of the flaw it 
exploited, led to more malicious users taking advantage of the worm than 
would have otherwise.

As The Register reported in 2001 [1], "Had they [eEye] not made such a 
grand public fuss over their .ida hole discovery and their SecureIIS 
product's ability to defeat it, it's a safe bet that Code Red would not 
have infected thousands of systems."

We asked Maiffret, in the case of ethical dilemmas such as this one, 
whose interests does eEye answer to: those of the software vendors such 
as Microsoft who may prefer the details of exploits be kept 
confidential, or to the general public to make them more aware of the 

"We definitely don't answer to the software vendors," Maiffret 
responded. "The people that we care about are the IT [technicians] and 

"Throughout 2006...there's definitely people that have misused the word, 
like 'zero-day,' the vulnerability that we found with Symantec, [in 
which] they put out a patch, and six months later, finally a piece of 
malware comes out. In that case, it's definitely not a zero-day, and 
it's just somebody that's eventually decided, 'Hey, I'm going to write 
something malicious for this."'

The real problem Microsoft and others must face, Maiffret added, is that 
it has become too easy for malicious users to infer the nature of an 
exploit not from the security advisory that first publicizes it, but 
from their reverse-engineering of the patch for that exploit, even 
without the advance publicity.

"The tools today on doing patch reverse-engineering and analysis, 
especially driven because of Microsoft and 'Patch Tuesday,"' he 
commented, "make it so easy to identify, just from the patch, what the 
vulnerability is within the patch, to figure it out and write the 
exploit, regardless of anything that eEye or anybody else would ever 

Last year, Maiffret reported, eEye's Zero-Day Tracker page listed about 
20 cases of open and exploitable flaws, mainly in Microsoft software, 
some of which took as much as three months to patch, and others which 
remained unpatched at the end of the year. "There's still the 'dummy' 
bad-guys, if you will, that just ride coattails," Maiffret said, 
referring to those who simply wait for security firms to post the 
advisories, and race against one another to produce active exploits. In 
those cases, malicious users rely on expensive and exhaustive research 
by Microsoft, eEye, and other legitimate firms.

However, Maiffret warned, there's a cottage industry emerging in the 
creation and distribution of exploits, perhaps as lucrative for 
malicious users as security research is for researchers.

"There's a lot more now that's happening where...there's a whole 
underground market of selling these things, where there's a value - 
$500, or something like that. For example, if you have an exploit for 
Vista, it's worth over $25,000. Things like that have driven [this 
business] where there are smart people who look the other way of their 
morals, and I think that's a trend that's going to continue to 

Independent researchers have become exhausted, Maiffret said, after 
working with Microsoft and other software publishers for months - 
sometimes years - to aid in the correction of a serious flaw. Only 
certain firms like eEye, he added, have the...will, to avoid another 
phrase, to persist with Microsoft and get results. "Because it's a 
business," he said, "it means there's a lot of people who are really, 
really good at it, by virtue of the fact that there's a good amount of 
money to be made on doing those things in the underground.

"In 2006, we probably had at least three or four cases of independent 
researchers who tried to report a vulnerability from Microsoft and tried 
to work with them, and Microsoft totally scoffed them off," eEye's 
Maiffret added. "Luckily these guys e-mailed us...and we were able to 
convince them to give it another shot. 'We'd love to help you report it 
to Microsoft, because we have a bigger stick with them...' We're able to 
work with these three or four different guys and actually get Microsoft 
to wake up and realize their vulnerability is important, just because 
it's some kid who's 15 years old in Oklahoma doesn't mean his 
vulnerability is any less important than an eEye-related [one]."

Maiffret praised the work of some security engineers who work to produce 
patches for third-party software when the original manufacturers cannot. 
"We never really advertised that were a go-between, but when somebody 
like that comes to us and is looking for help, then by all means, well 
do whatever we can," Maiffret said, "because we have customers at the 
end of the day, and wed much rather help facilitate these people talking 
to Microsoft or whoever, rather than just posting on a mailing list. It 
doesnt do anybody any good to just post something without a patch."

[1] http://www.theregister.co.uk/2001/07/20/internet_survives_code_red/

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Jan 25 2007 - 22:34:08 PST