WMF Exploits Sold By Russian Hackers
The bug in Windows' rendering of WMF images was serious enough that Microsoft issued an out-of-cycle patch for the problem in early January, in part because scores of different exploits lurked on thousands of Web sites, including many compromised legitimate sites. At one point, Microsoft was even accused of purposefully creating the vulnerability as a "back door" into Windows.
Alexander Gostev, a senior virus analyst for Moscow-based Kaspersky Labs, recently published research that claimed the WMF exploits could be traced back to an unnamed person who, around Dec. 1, 2005, found the vulnerability.
"It took a few days for exploit-enabling code to be developed," wrote Gostev in the paper published online, but by the middle of the month, that chore was completed. And then exploit went up for sale.
"It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000," said Gostev.
"There's no doubt this is the way it happened," said U.S.-based Shane Coursen, senior technical analyst with Kaspersky. "Kaspersky, being in Russia, has advantages over U.S. security companies" when it comes to Russian hacker activity, he added. "And the company has excellent links with the Russian government."
It took almost two weeks before security firms, including Kaspersky, got wind of the WMF exploits, with the first suspicious WMF files reaching researchers on Dec. 26. Even then, most firms -- and Microsoft too -- were uncertain about the threat the exploits posed. Not surprising, Gostev added. "The hacker groups didn't understand exactly how the vulnerability functioned," he claimed. "[And] research bodies did not have information about the fact that the exploit was being sold, due to the fact that it was created for the Russian market."
"The hackers thought the vulnerability was less important than it actually was," confirmed Coursen. "They really didn't know what they had."
According to Kaspersky's research, one of the first buyers of the for-money exploit was a Russian adware and spyware distributor, who used it to illegally install such software on machines whose users simply surfed to his site(s). That may be one of the reasons why the WMF exploit was used on so other adware- and spyware-spewing sites.
The whole WMF event was off-kilter from the norm, said Coursen. Usually, vulnerabilities are discovered by specialized research firms, such as iDefense or eEye Digital Security. "One very important aspect is that the vulnerability was first identified by members of the computer underground," said Gostev.
"We'll see more of these types of events," Coursen predicted, zero-day bugs that are found by profit-taking hackers. "It's kind of a natural progression from where things are today," he said. "A vulnerability actually has value."
That could mean trouble in 2006. "Statistically, zero-day events have been rare. Just another one or two a year could throw the world into an uproar."