Feeds

Exploit broker aims marketing machine at Unix app crack

Deals so great... they're insane!

Securing Web Applications Made Simple and Scalable

WabiSabiLabi, which bills itself as the eBay of software vulnerabilities, has borrowed a page from used car salesmen, except instead of talking up their affordable rates and low down payments, the outfit is championing the sale of a nasty sounding exploit that puts Unix boxes at risk.

The vulnerability resides in ClamAV, an open source anti-virus toolkit for Unix-based email gateways. Two weeks ago, WabiSabiLabi listed the auction of exploit code that targets the antivirus program, so far without a single person bidding on it. Enter the group's marketing monkeys, who in a blog post are trying to drum up interest.

"It has been recently submitted to our labs a vulnerability that allows a malicious user to execute arbitrary code on the machine running one of the utilities of the ClamAV suite by simply sending a specially crafted email to the vulnerable mail server," the spinmeisters write (their emphasis). "This vulnerability has a starting price of 500 euros: bid on that and, as a security company, you will gain a very high competitive advantage."

The selling of exploits for cash is becoming increasingly common as security researchers try to recoup compensation for what often amounts to hundreds of hours in the lab turning a vague theory about a weakness into a proof-of-concept code. While shopping around vulnerabilities can sometimes be a contentious issue, it has been embraced by at least two mainstream security companies that say the practice goes a long way to making their customers safer.

"It's one thing to market your program and market the existence of it," says Terri Forslof, manager of security response for TippingPoint, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities. "It's another to try and use something like that and specifically market that vuln. If anything, it just seems kind of cheesy to me."

WabiSabiLabi's carnival barking comes almost two weeks after Roberto Preatoni, the group's founder, was among those arrested by Italian police investigating a spying scandal involving Telecom Italia. WabiSabiLabi issued a press release saying "we are confident that his innocence will be established if a case ever comes to court."

The shameless plug also comes amid what might be considered less-than-spectacular enthusiasm for WabiSabiLabi's vulnerability marketplace. In all, it records 38 auctions listed since the site went live in August. Of the 19 listings currently pending at the time of writing, only two had bids, and in each case, there was only one bid. Furthermore, seven listings were scheduled to expire in less than nine hours, and none of them had attracted a single bid.

Representatives from Switzerland-based WabiSabiLabi weren't immediately available for comment.

In all, WabiSabiLabi claims to have received more than 150 vulnerability submissions, and that raises another question: What is it doing with all of those exploits? The company says it's rejected about 40 entries because researchers used illegal methodologies such as reverse engineering of protected software to discover them.

Even still, there's a wide gulf between the remaining 110 submissions and the 38 that have been publicly brokered, and that has Forslof scratching her head about things like whether the group sells some exploits privately before listing them on its marketplace.

"When I look at that I can't say what number of those were valid, [and] what the process is to vet those out," she says. "What I'd still like to see from them is quite a bit more transparency." ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.