Online scammers turned entrepreneurs have found a new commodity to auction off: system and software vulnerabilities.
Here’s how it works: Tech savvy cyber crooks identify bugs or vulnerabilities in software applications. Then – instead sharing these findings with the vendor so a patch can be developed – they auction it off online to buyers, many of whom are willing to pay top dollar for this information.
“The name of the game is money,” says a study on malware distribution evolution released recently by Finjan Inc., a Web security product development firm based in San Jose, Calif. The study was conducted by a Finjan facility called the Malicious Code Research Centre (MCRC).
Below are three samples of postings lifted by Finjan from ‘Full Disclosure’, an un-moderated mailing list for discussions on security issues and a forum where software vulnerabilities are detailed and openly discussed:
• “I just found a second bug that allows one to remotely retrieve the contents of other tabs in IE [Internet Explorer Version] 7. Again for sale. Higgest Bidder.”
• “So I just found another vulnerability. This time working on the latest patched up [Internet Explorer] version 6.0. It allows for my code to be run… Let the bidding begin.”
• “Due to the success of my IE [vulnerability] sale I have decided to sell a Windows Vista exploit I discovered. This one work remote (sic) and will run code.”
Cyber crooks are not hesitant to make such open declarations of illicit intent because of the anonymity offered by the Internet. Some have had the gall to try and peddle their information on popular online auction sites such as eBay. Last December eBay pulled an ad that was selling vulnerability information about Microsoft’s spreadsheet program Excel.
“That was a bold, if foolhardy, move on the part of the seller, because eBay is hardly blackmarket at all,” said Ross Armstrong, senior analyst at technology consultancy firm Info-Tech Research Ltd. in London, Ont.
But vulnerability information is also sometimes purchased by legitimate companies. For instance, TippingPoint of Austin, Texas, and iDefense Inc. of Dulles, VA. have both sometimes bought vulnerability data so as to protect their clients against virus attacks.
Last year TippingPoint said it would pay as much as US$2,000 for a verified vulnerability.
“We are for responsible disclosure of vulnerabilities,” said David Endler, director of security research for TippingPoint.
The company deals with “security researchers” who contact TippingPoint with whatever vulnerability they discover. TippingPoint validates the vulnerability, tests it out and classifies it according to potential severity. It then helps its clients develop means of mitigating the vulnerability. The firm also informs the software vendor about the vulnerability in their product, but does not go public until the vendor develops a patch.
While TippingPoint waits for the vendor to come up with their patches other firms disclose to the public any vulnerability they encounter.
Open disclosure according to analysts may a double-edged sword. The disclosure could alert malicious hackers about a system’s flaws, but it could be the only reliable way to ensure software makers come up with the patches.
For those who choose to auction off their findings, “vulnerability” market is also ruled by the laws of supply and demand, and indications are – right now – demand is pretty hot. “As the price tag for new vulnerabilities continues to increase, so does the temptation to sell [them] on the black-market, rather than disclose the information to responsible vendors that can develop patches,” the Finjan study says.
Web security experts say information on how to break into a system can be used to launch spam and phishing attacks or create Web sites with malicious code that covertly take control of a person’s computer.
“The market is driven by crime,” according to Bruce Schneier, security technologist and founder of Counterpane Internet Security Inc. of Mountain View, Calif. He said organizations involved in identity theft “would only be [too] glad to pay upwards of US$1,000 for information that can help them single out at systems vulnerability and exploit it for financial gain.”
The information can also be used to create so called “bot-nets” or networks of personal computers controlled remotely by a malicious hacker, according to Info-Tech’s Armstrong,
“When you have a bot-net of 10,000 to 20,000 hijacked computers, that’s a lot of computing power to use for denial of service attacks, to launch spam, or host Web sites that steal visitors’ confidential information,” said Armstrong.
The Finjan study said back in the 1990s, distribution of viruses was carried out by “script kiddies” in search of fame and recognition among their peers. Later phishing scammers used spoofed e-mail messages to fool people into revealing credit card numbers, passwords and other personal information.
Today spam has evolved from a mere annoyance to a channel for propagating malicious code.
Late this June customers of the National Australian Bank (NAB) were targeted by a spam message claiming the bank had gone bankrupt, and directing readers to another Web site to read the full story.
The second Web site actually installed a Trojan virus on the machine of people who visited the site. The code immediately searched for unpatched vulnerabilities on user machines and exploited them to gain control of the computer.
There is the odd time when vulnerabilities are created – perhaps inadvertently – by a legit company.
For instance, late last year SonyBMG placed copy protection software on one of its CDs that used a sophisticated cloaking technique involving use of a rootkit. A rootkit is often used by virus writers to hide traces of their work on a computer, and can be used by a malicious hacker to gain control over a computer.
As part of a court-ordered settlement, SonyBMG was recently directed to compensate consumers who purchased Sony audio CDs that installed a rootkit when they were played on a PC. The compensation amounts to US$7.50 and a free album download from Sony’s catalogue for each CD purchased.
“What is common to all these threats is that they are driven by active content (such as Java Script, VB Script, ActiveX, or Java Applets)–those same technologies that enable users to browse Web sites and run common business applications,” the study said.
Yuval Ben-Itzhak, chief technology officer of Finjan said a great deal of malicious code is able to bypass traditional anti-virus and anti-spam software in the market today because these products are signature-based.
“These software products search for virus signatures. But if a virus is new or unknown, the software will not be able to recognize it.”
Ben-Itzhak said Finjan software blocks malicious code based on its behaviour. The moment the NG 51000 detects questionable behaviour on the part of a visited site it blocks that site.
“If a site begins installing executable cod
