Feeds

Exploit broker aims marketing machine at Unix app crack

Deals so great... they're insane!

High performance access to file storage

WabiSabiLabi, which bills itself as the eBay of software vulnerabilities, has borrowed a page from used car salesmen, except instead of talking up their affordable rates and low down payments, the outfit is championing the sale of a nasty sounding exploit that puts Unix boxes at risk.

The vulnerability resides in ClamAV, an open source anti-virus toolkit for Unix-based email gateways. Two weeks ago, WabiSabiLabi listed the auction of exploit code that targets the antivirus program, so far without a single person bidding on it. Enter the group's marketing monkeys, who in a blog post are trying to drum up interest.

"It has been recently submitted to our labs a vulnerability that allows a malicious user to execute arbitrary code on the machine running one of the utilities of the ClamAV suite by simply sending a specially crafted email to the vulnerable mail server," the spinmeisters write (their emphasis). "This vulnerability has a starting price of 500 euros: bid on that and, as a security company, you will gain a very high competitive advantage."

The selling of exploits for cash is becoming increasingly common as security researchers try to recoup compensation for what often amounts to hundreds of hours in the lab turning a vague theory about a weakness into a proof-of-concept code. While shopping around vulnerabilities can sometimes be a contentious issue, it has been embraced by at least two mainstream security companies that say the practice goes a long way to making their customers safer.

"It's one thing to market your program and market the existence of it," says Terri Forslof, manager of security response for TippingPoint, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities. "It's another to try and use something like that and specifically market that vuln. If anything, it just seems kind of cheesy to me."

WabiSabiLabi's carnival barking comes almost two weeks after Roberto Preatoni, the group's founder, was among those arrested by Italian police investigating a spying scandal involving Telecom Italia. WabiSabiLabi issued a press release saying "we are confident that his innocence will be established if a case ever comes to court."

The shameless plug also comes amid what might be considered less-than-spectacular enthusiasm for WabiSabiLabi's vulnerability marketplace. In all, it records 38 auctions listed since the site went live in August. Of the 19 listings currently pending at the time of writing, only two had bids, and in each case, there was only one bid. Furthermore, seven listings were scheduled to expire in less than nine hours, and none of them had attracted a single bid.

Representatives from Switzerland-based WabiSabiLabi weren't immediately available for comment.

In all, WabiSabiLabi claims to have received more than 150 vulnerability submissions, and that raises another question: What is it doing with all of those exploits? The company says it's rejected about 40 entries because researchers used illegal methodologies such as reverse engineering of protected software to discover them.

Even still, there's a wide gulf between the remaining 110 submissions and the 38 that have been publicly brokered, and that has Forslof scratching her head about things like whether the group sells some exploits privately before listing them on its marketplace.

"When I look at that I can't say what number of those were valid, [and] what the process is to vet those out," she says. "What I'd still like to see from them is quite a bit more transparency." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.