Rogue "Malware Spreading Security Researchers" Launch Malicious Social Engineering Campaign Against Legitimate Researchers - OSINT Analysis

Security researchers from Google have recently spotted and properly analyzed a currently circulation malicious software spreading social engineering driven malicious campaign that's actively interacting with legitimate researchers on social media and private channels for the purpose of tricking them into testing a newly discovered zero day flaw which in reality drops malware on the affected hosts and phones back to a C&C server potentially attempting to compromise the researchers in question.

Sample screenshots of the campaign currently in circulation:

Sample malicious MD5s known to have participated in the campaign:

MD5: 7fc2af97b004836c5452922d4491baaa

MD5: 6252cec30f4fb469aefa2233fe7323f8

MD5: 56018500f73e3f6cf179d3b853c27912

MD5: b52e05683b15c6ad56cebea4a5a54990

MD5: 9e9f69ed56482fff18933c5ec8612063

MD5: f5475608c0126582081e29927424f338

MD5: ae17ce1eb59dd82f38efb9666f279044

Stay tuned!

Continue reading →

Delaying Yesterday's "0day" Security Vulnerability

I never imagined we would be waiting for the release of a "0day" vulnerability, but I guess that's what happens if you're not a customer of an informediary in the growing market for software vulnerabilities -- growth in respect to, researchers, infomediaries and security vulnerabilities. Stay tuned for "Exploit Of Windows 2000 Zero-day To Hit In June", and take your time to appreciate that it's affecting "extended support" software. From the article :



"Symantec warned its enterprise customers Thursday that an unpatched vulnerability in Windows 2000’s file sharing protocol has surfaced, with details of an exploit expected to show next month. According to the Cupertino, Calif. company’s alert, an exploit for the zero-day bug in Windows 2000’s SMB (Server Message Block) protocol has been created by Immunity Security, the makers of the CANVAS exploit-creation platform. By Immunity researcher Dave Aitel’s account, the exploit leverages a flaw in the operating system’s kernel that can be triggered through SMB, and will give an attacker full access to the PC. Aitel claimed Immunity will make the exploit public in June. "Immunity is considered to be a reliable source and we are of the opinion that this information should be treated as fact," read Symantec’s warning. "An official security update from Microsoft will likely not be in development until after June when the information is released."



Well, how can they fix in such a way, even though their "sophisticated", quality-obsessed patch management practices. When working with vulnerabilities, or updating yourself with the dailypack of new ones, don't live with the false feeling of their uniqueness, but try figuring out how to be a step ahead of the vulnerabilities management stage. If Microsoft requested from Immunity Security to look up for possible security vulnerabilities, gave them a deadline, and secured a commission in case a vulnerability is actually found, it would have perfectly fited in the scenario in a previous post "Shaping the Market for Security Vulnerabilities Through Exploit Derivatives" -- reporting a vulnerability, let's not mention web application vulnerability is for the brave these days. Moreover, "Economic Analysis of the Market for Software Vulnerability Disclosure" quotes Arora et al. on the same issue from a vendor's point of view :



"developing an economic model to study a vendor's decision of when to introduce its software and whether or not to patch vulnerabilities in its software. They compare the decision process of a social-welfare maximizing monopolistic vendot, to that of a profit-maximizing monopolistic vendor. Interestingly, they observe that the profit-maximizing vendor delivers a product that has fewer bugs, than a social-welfare maximizing vendor. Howver, the profit-maximizing vendor is less willing to patch its software than its social-welfare maximizing counterpart." - The Price of Restricting Vulnerability Publications is indeed getting higher.



Reactive, Proactive, or Adaptive - what's your current security strategy? Continue reading →

Shaping the Market for Security Vulnerabilities Through Exploit Derivatives

In a previous post "0bay - how realistic is the market for security vulnerabilities?" I gave a brief overview of the current market infomediaries and their position, listed various research I recommend you to go through, and speculated on an auction based market model.


During April, at the CanSecWest Security Conference "Groups argued over merits of flaw bounties" some quotes :

"The only economic model that does not make sense to me is the vendor's," Sutton said. "They get to know about a vulnerabilities ahead of time, but they are unwilling to pay for them." - Michael Sutton



"What I can give people who find vulnerabilities is a small amount of fame. iDefense can give them $10,000." - Darius Wiles



"As a civil rights issue, selling vulnerabilities is just fine. As a keeping-the-customers safe issue, it's junk." - Novell director of software engineering Crispin



"If I come to you and offer to sell you a vulnerability in your product, I am going to be cuffed and arrested," he told the representatives of software makers on the panel." - Matthew Murphy



And the discussion is reasonably pretty hot with a reason. Back in January Microsoft expressed their opinion on the informediaries based market model like :



"One day after iDefense, of Reston, Va., announced the bounty as part of a newly implemented quarterly hacking challenge, a spokesperson for Microsoft, based in Redmond, Wash., said paying for flaws is not the best way to secure software products. "We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers," the spokesperson said in a statement sent to eWEEK. "



and while Microsoft talks about responsible disclosure, that's exactly the type of model I don't really think exist anymore. Peter Mell made a good point that "I don't support this activity. Basically, it enables third parties to unfairly focus attention on a particular vendor or product. It does not help security in the industry," Mell said in an interview with eWEEK." -- but it still offers the opportunity to bring order into the chaos doesn't it?



The WMF vulnerability apparently got purched for $4000 and I among the few scenarios that I mentioned were on vendors purchasing vulnerabilities and requested vulnerabilities, or a reverse model :



"requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?"



Coming across 0day vulnerabilities for sale, I also came across Rainer Boehme's great research on various market models, among them exploit derivatives. Have you ever though of using exploit derivatives, on the called "futures market"? I think the idea has lots of potential, and he described it as :



"Instead of trading sensitive vulnerability information directly, the market mechanism is build around contracts that pay out a defined sum in case of security events. For instance, consider a contract that pays its owner the sum of 100 EUR on say 30 June 2006 if there exists a remote root exploit against a precisely specified version of ssh on a defined platform."



The OS/Vendor/Product/Version/Deadline type of reverse model that I also mentioned is a good targeted concept if it were used by vendors for instance, and while it has potential to have a better control over the market, the lack of common and trusted body to take the responsibility to target Windows and Apple 50/50 for istance, still makes me think. The best part is how it would motivate researchers at the bottom line -- deadlines result in spontaneous creativity sometimes.

More on the topic of security vulnerabilities and commercializing the market, in a great article by Jennifer Granick (remember Michael Lynn's case?) she said that :



"I'm more concerned that commercialization, while it promotes discovery, will interfere with the publication of vulnerability information. The industry adopted responsible disclosure because almost everyone agrees that members of the public need to know if they are secure, and because there is inherent danger in some people having more information than others. Commercialization throws that out the window. Brokers that disclose bugs to their selected list of subscribers are necessarily withholding important information from the rest of the public. Brokers may eventually issue public advisories, but in the meantime, only the vendor and subscribers know about the problem."



Who should be empowered at the bottom line, the informediaries centralizing the process, or the security researchers/vulnerability diggers starting to seek bids for their reseach efforts?

On the other hand, I think that the current market model suffers from a major weakness and that is the need for achieving faster liquidity if we can start talking about such.


Basically, sellers of vulnerabilities want to get their commissions as soon as possible, which is where the lucrative underground market easily develops. While I am aware of cases where insurers are already purchasing vulnerabilities to hedge risks until tomorrow I guess, anyone would put some effort into obtaining a critical MS vulnerability given a deadline and hefty reward, but who's gonna act as a social planner here? Continue reading →

"Successful" communication

You know Dilbert, don't you? I find this cartoon a very good representation of what is going on in the emerging market for software vulnerabilities, and of course, its OTC trade practices -- total miscommunication and different needs and opinions. While different opinions and needs provoke quality discussion and I understand the point that everyone is witnessing that something huge is happening, "so why shouldn't I?", but at the bottom line, it's so obvious that there isn't any sort of mission or social welfare goal to be achieved, that everyone is commercializing what used to be the "information wants to be free" attitude.



Weren't software vulnerabilities supposed to turn into a commodity given the number of people capable and actually discovering them, where "windows of opportunities" get the highest priority as a con? That is, compared to commercializing vulnerability research, empowering researchers to the skies, and turning vulnerabilities into an IP, totally decentralizing the current sources of information, and fueling the growth of underground models, as it's obvious that for the time being vulnerabilities and their early acquirement seems to be where the $ is. What do you think?



Technorati tags :
Security, Vulnerabilities, 0day, 0bay, Dilbert Continue reading →

Where's my 0day, please?

A site I was recently monitoring disappeared these days, so I feel it's about time I blog on this case. I have been talking about the emerging market for software vulnerabilities for quite some time, and it's quite a success to come across that the concept has been happening right there in front of us. Check out the screenshots. The International Exploits Shop I came across to looks like this :



It appears to be down now, while it has simply changed its location to somewhere else. Google no longer has it cached, and the the only info on this wisely registered .in domain, can be found at Koffix Blocker's site.



A lot of people underestimate the power of the over-the-counter(OTC), market for 0day security vulnerabilities. Given that there isn't any vulnerabilities auction in place that would provide a researcher with multiple proposals, and the buyers with a much greater choice or even social networking with the idea to possibly attract skilled HR, the seller is making personal propositions with the idea to get higher exposure from the site's visitors. Whoever is buying the exploit and whatever happens with it doesn't seem to bother the seller in this case.



As there's been already emerging competition between different infomediaries that purchase vulnerabilities information and pay the researchers, researchers themselves are getting more and more interested in hearing from "multiple parties". Turning vulnerability research, and its actual findings into an IP, and offering financial incentives is tricky, and no pioneers are needed in here!



There's been a lot of active discussion among friends, and over the Net. I recently came across a great and very recent research entitled "Vulnerability markets - what is the economic value of a zero-day exploit?", by Rainer Boehme, that's worth the read. Basically, it tries to list all the market models and possible participants, such as :



Bug challenges
- Bug challenges are the simplest and oldest form of vulnerability markets, where the producer offers a monetary reward for reported bugs. There are some real-world examples for bug challenges. Most widely known is Donald E. Knuth’s reward of initially 1.28 USD for each bug in his TEX typesetting system, which grows exponentially with the number of years the program is in use. Other examples include the RSA factoring challenge, or the shady SDMI challenge on digital audio watermarking



Bug auctions
-Bug auctions are theoretical framework for essentially the same concept as bug
challenges. Andy Ozment [9] first formulated bug challenges in the terms of auction theory,
in particular as a reverse Dutch auction, or an open first-price ascending auction. This allowed him to draw on a huge body of literature and thus add a number of eciency enhancements to the original concept. However, the existence of this market type still depends on the initiative of the vendor


Vulnerability brokers
-Vulnerability brokers are often referred to as “vulnerability sharing circles”. These clubs are
built around independent organizations (mostly private companies) who oer money for new vulnerability reports, which they circulate within a closed group of subscribers to their security alert service. In the standard model, only good guys are allowed to join the club


-Cyber Insurance
Cyber-insurance is among the oldest proposals for market mechanisms to overcome the security market failure. The logic that cures the market failure goes as follows: end users demand insurance against financial losses from information security breaches and insurance companies sell this kind of coverage after a security audit. The premium is assumed to be adjusted by the individual risk, which depends on the IT systems in use and the security mechanisms in place.



Let's try define the market's participants, their expectations and value added through their actions, if any, of course.



Buyers
-malicious (E-criminals, malware authors, competitors, political organization/fraction etc.)
-third party, end users, private detectives, military, intelligence personnel
-vendors (either through informediary, or directly themselves, which hasn't actually happened so far)



Sellers
-reputable
-newly born
-questionable
-does it matter at the bottom line?



Intermediaries
-iDefense
-ZeroDayInitiative-Digital Armaments



Society
-Internet
-CERT model - totally out of the game these days?



As iDefense simply had to restore their position in this emerging market developed mainly by them, an offer for $10,000 was made for a critical vulnerability as defined by Microsoft. I mean, I'm sort of missing the point in here. Obviously, they are aware of the level of quality research that could be sold to them.


Still I wonder what exactly are they competing with :



- trying to attract the most talented researchers, instead of having them turn to the dark side? I doubt they are that much socially oriented, but still it's an option?



- ensuring the proactive security of its customers through first notifying them, and them and then the general public? That doesn't necessarily secures the Internet, and sort of provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability researcher doesn't cooperate with iDefense, and instead sells an 0day to a competitor? Would the vendor's IPS protect against a threat like that too?



- fighting against the permanent opportunity of another 0day, gaining only a temporary momentum advantage?



- improving the company's clients list through constant collaboration with leading vendors while communication a vulnerability in their software products?



A lot of research publications reasonably argue that the credit for the highest social-welware return goes to a CERT type of a model. And while this is truly, accountability and providing a researcher with the highest, both tangible, and intangible reward for them is what also can make an impact. As a matter of fact, is blackmailing a nasty option that could easily become reality in here, or I'm just being paranoid?



To conclude, this very same shop is definitely among the many other active out there for sure, so, sooner or later we would either witness the introduction of a reputable Auction based vulnerabilities market model, or continue living with windows of opportunities, clumsy vendors, and 0day mom-and-dad shops :) But mind you, turning vuln research into IP and paying for it would provide enough motiviation for an underground 0bay as well, wouldn't it?



14.03.2006

OSVDB's Blog - Where's my 0day, please?
OSVDB's Blog - Vulnerability Markets



11.03.2006

LinuxSecurity.com - Where's my 0day, please?
FIRST - Where's my 0day, please?



10.03.2006 - Sites that picked up the story :

Net-Security.org - Where's my 0day, please?
MalwareHelp.org- The International Exploits Shop: Where's my 0day, please?
Security.nl - Internationale Exploit Shop levert 0days op bestelling
WhiteDust.net - Where's my 0day, please?
Reseaux-Telecoms.net - Danchev sur l'Achat de failles
Informit Network - 0-Days for Sale



09.03.2006 - Two nice articles related to the issue appeared yesterday as well, "Black market thrives on vulnerability trading", from the article :



"Security giant Symantec claims that anonymous collusion between hackers and criminals is creating a thriving black market for vulnerability trading. As criminals have woken up to the massive reach afforded to their activities thanks to the Internet, hackers too are now able to avoid risking prison sentences by simply selling on their findings. Graeme Pinkney, a manager at Symantec for trend analysis, told us: 'People have suddenly realised that there's now a profit margin and a revenue stream in vulnerabilities... There's an element of anonymous co-operation between the hacker and criminal.'"



and "The value of vulnerabilities", a quote :



“ There are no guarantees, and therefore I think it would be pretty naive to believe that the person reporting the issue is the only one aware of its existence. That in itself is pretty frightening if you think about it. "



Technorati tags:
Security, 0day, 0bay, Vulnerabilities, Exploits, iDefense, ZeroDayInitiative, Digital Armaments Continue reading →

How to win 10,000 bucks until the end of March?

I feel that, in response to the recent event of how the WMF vulnerability got purchased/sold for $4000 (an interesting timeframe as well), iDefense are actively working on strengthening their market positioning - that is the maintain their pioneering position as a perhaps the first company to start paying vulnerability researchers for their discoveries.


The company recently offered $10,000 for the submission or a vulnerability that gets categorized as critical in any of Microsoft's Security Bulletins. In the long-term, would vulnerability researchers be able to handle the pressure put on them through such financial incentives, and keep their clear vision instead of sell their souls/skills? What if someone naturally offers more, would money be the incentive that can truly close the deal, and is it just me realizing how bad is it to commercialize the not so mature vuln research market, namely how this would leak all of its current weaknesses?



Consider going through some of my previous thoughts on the emerging market for software/0day vulnerabilities as well and stay tuned for another recent discovery a dude tipped me on, thanks as a matter of fact!



Technorati tags:
idefense, vulnerabilities Continue reading →