[Infowarrior] - System vulnerabilities being sold in on-line auctions

[Richard Forno]

http://www.theglobeandmail.com/servlet/story/RTGAM.20060713.gtauctionjul13/B
NStory/Technology/home

System vulnerabilities being sold in on-line auctions

NESTOR E. ARELLANO

ITWorld Canada

On-line scammers turned entrepreneurs have found a new commodity to auction
off: system and software vulnerabilities.

Here's how it works: Tech savvy cyber crooks identify bugs or
vulnerabilities in software applications. Then ‹ instead sharing these
findings with the vendor so a patch can be developed ‹ they auction it off
on-line to buyers, many of whom are willing to pay top dollar for this
information.

"The name of the game is money," says a study on malware distribution
evolution released recently by Finjan Inc., a Web security product
development firm based in San Jose, Calif. The study was conducted by a
Finjan facility called the Malicious Code Research Centre (MCRC).

Below are three samples of postings lifted by Finjan from 'Full Disclosure',
an un-moderated mailing list for discussions on security issues and a forum
where software vulnerabilities are detailed and openly discussed:

    * "I just found a second bug that allows one to remotely retrieve the
contents of other tabs in IE [Internet Explorer Version] 7. Again for sale.
Higgest Bidder."
    * "So I just found another vulnerability. This time working on the
latest patched up [Internet Explorer] version 6.0. It allows for my code to
be run... Let the bidding begin."
    * "Due to the success of my IE [vulnerability] sale I have decided to
sell a Windows Vista exploit I discovered. This one work remote (sic) and
will run code." 

Cyber crooks are not hesitant to make such open declarations of illicit
intent because of the anonymity offered by the Internet. Some have had the
gall to try and peddle their information on popular on-line auction sites
such as eBay. Last December eBay pulled an ad that was selling vulnerability
information about Microsoft's spreadsheet program Excel.

"That was a bold, if foolhardy, move on the part of the seller, because eBay
is hardly blackmarket at all," said Ross Armstrong, senior analyst at
technology consultancy firm Info-Tech Research Ltd. in London, Ont.

But vulnerability information is also sometimes purchased by legitimate
companies. For instance, TippingPoint Technologies Inc. of Houston, Texas,
and iDefense Inc. of Dulles, VA. have both sometimes bought vulnerability
data so as to assist other firms in deterring virus attacks.

Last year TippingPoint said it would pay as much as $2,000 (U.S.) for a
verified vulnerability.

"We are for responsible disclosure of vulnerabilities," said David Endler,
director of security research for TippingPoint.

The company deals with "security researchers" who contact TippingPoint with
whatever vulnerability they discover. TippingPoint validates the
vulnerability, tests it out and classifies it according to potential
severity. It then helps its clients develop means of mitigating the
vulnerability. The firm also informs the software vendor about the
vulnerability in their product, but does not go public until the vendor
develops a patch.

While TippingPoint waits for the vendor to come up with their patches other
firms disclose to the public any vulnerability they encounter.

Open disclosure according to analysts may a double-edged sword. The
disclosure could alert malicious hackers about a system's flaws, but it
could be the only reliable way to ensure software makers come up with the
patches.

For those who choose to auction off their findings, "vulnerability" market
is also ruled by the laws of supply and demand, and indications are ‹ right
now ‹ demand is pretty hot. "As the price tag for new vulnerabilities
continues to increase, so does the temptation to sell [them] on the
black-market, rather than disclose the information to responsible vendors
that can develop patches," the Finjan study says.

Web security experts say information on how to break into a system can be
used to launch spam and phishing attacks or create websites with malicious
code that covertly take control of a person's computer.

"The market is driven by crime," according to Bruce Schneier, security
technologist and founder of Counterpane Internet Security Inc. of Mountain
View, Calif. He said organizations involved in identity theft "would only be
[too] glad to pay upwards of US$1,000 for information that can help them
single out at systems vulnerability and exploit it for financial gain."

The information can also be used to create so called "bot-nets" or networks
of personal computers controlled remotely by a malicious hacker, according
to Info-Tech's Armstrong,

"When you have a bot-net of 10,000 to 20,000 hijacked computers, that's a
lot of computing power to use for denial of service attacks, to launch spam,
or host websites that steal visitors' confidential information," said
Armstrong.

The Finjan study said back in the 1990s, distribution of viruses was carried
out by "script kiddies" in search of fame and recognition among their peers.
Later phishing scammers used spoofed e-mail messages to fool people into
revealing credit card numbers, passwords and other personal information.

Today spam has evolved from a mere annoyance to a channel for propagating
malicious code.

Late this June customers of the National Australian Bank (NAB) were targeted
by a spam message claiming the bank had gone bankrupt, and directing readers
to another website to read the full story.

The second website actually installed a Trojan virus on the machine of
people who visited the site. The code immediately searched for unpatched
vulnerabilities on user machines and exploited them to gain control of the
computer.

There is the odd time when vulnerabilities are created ‹ perhaps
inadvertently ‹ by a legit company.

For instance, late last year SonyBMG placed copy protection software on one
of its CDs that used a sophisticated cloaking technique involving use of a
rootkit. A rootkit is often used by virus writers to hide traces of their
work on a computer, and can be used by a malicious hacker to gain control
over a computer.

As part of a court-ordered settlement, SonyBMG was recently directed to
compensate consumers who purchased Sony audio CDs that installed a rootkit
when they were played on a PC. The compensation amounts to US$7.50 and a
free album download from Sony's catalogue for each CD purchased.

"What is common to all these threats is that they are driven by active
content (such as Java Script, VB Script, ActiveX, or Java Applets) ‹ those
same technologies that enable users to browse websites and run common
business applications," the study said.

Yuval Ben-Itzhak, chief technology officer of Finjan said a great deal of
malicious code is able to bypass traditional anti-virus and anti-spam
software in the market today because these products are signature-based.

"These software products search for virus signatures. But if a virus is new
or unknown, the software will not be able to recognize it."

Ben-Itzhak said Finjan software blocks malicious code based on its
behaviour. The moment the NG 51000 detects questionable behaviour on the
part of a visited site it blocks that site.

"If a site begins installing executable codes on a computer, tries to access
disks or read files, monitor keystrokes, access and modify registry or try
to control the computer, it's out," Ben-Itzhak said.

"Open disclosure may be imperfect, but it's the only way to guarantee that
things will get fixed," said Schneier. "Unless vulnerability is made public,
some software makers won't work on the patches."

Armstrong said legitimate firms who buy vulnerability information to develop
filters or alert its clients are beneficial.

"It is a good, pro-active approach and it helps vendors save on research
dollars," he said.

Aside from the anonymity provided by the Internet, the lack of a coherent
and legislation covering the matter prevents authorities from keeping the
lid on vulnerability auctions. "This is one giant grey zone," according to
Armstrong.

"While it may be against the law to propagate viruses, or steal private
information, it is not illegal to publish or sell vulnerability
information," he said.