Feeds

Exploit broker aims marketing machine at Unix app crack

Deals so great... they're insane!

Beginner's guide to SSL certificates

WabiSabiLabi, which bills itself as the eBay of software vulnerabilities, has borrowed a page from used car salesmen, except instead of talking up their affordable rates and low down payments, the outfit is championing the sale of a nasty sounding exploit that puts Unix boxes at risk.

The vulnerability resides in ClamAV, an open source anti-virus toolkit for Unix-based email gateways. Two weeks ago, WabiSabiLabi listed the auction of exploit code that targets the antivirus program, so far without a single person bidding on it. Enter the group's marketing monkeys, who in a blog post are trying to drum up interest.

"It has been recently submitted to our labs a vulnerability that allows a malicious user to execute arbitrary code on the machine running one of the utilities of the ClamAV suite by simply sending a specially crafted email to the vulnerable mail server," the spinmeisters write (their emphasis). "This vulnerability has a starting price of 500 euros: bid on that and, as a security company, you will gain a very high competitive advantage."

The selling of exploits for cash is becoming increasingly common as security researchers try to recoup compensation for what often amounts to hundreds of hours in the lab turning a vague theory about a weakness into a proof-of-concept code. While shopping around vulnerabilities can sometimes be a contentious issue, it has been embraced by at least two mainstream security companies that say the practice goes a long way to making their customers safer.

"It's one thing to market your program and market the existence of it," says Terri Forslof, manager of security response for TippingPoint, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities. "It's another to try and use something like that and specifically market that vuln. If anything, it just seems kind of cheesy to me."

WabiSabiLabi's carnival barking comes almost two weeks after Roberto Preatoni, the group's founder, was among those arrested by Italian police investigating a spying scandal involving Telecom Italia. WabiSabiLabi issued a press release saying "we are confident that his innocence will be established if a case ever comes to court."

The shameless plug also comes amid what might be considered less-than-spectacular enthusiasm for WabiSabiLabi's vulnerability marketplace. In all, it records 38 auctions listed since the site went live in August. Of the 19 listings currently pending at the time of writing, only two had bids, and in each case, there was only one bid. Furthermore, seven listings were scheduled to expire in less than nine hours, and none of them had attracted a single bid.

Representatives from Switzerland-based WabiSabiLabi weren't immediately available for comment.

In all, WabiSabiLabi claims to have received more than 150 vulnerability submissions, and that raises another question: What is it doing with all of those exploits? The company says it's rejected about 40 entries because researchers used illegal methodologies such as reverse engineering of protected software to discover them.

Even still, there's a wide gulf between the remaining 110 submissions and the 38 that have been publicly brokered, and that has Forslof scratching her head about things like whether the group sells some exploits privately before listing them on its marketplace.

"When I look at that I can't say what number of those were valid, [and] what the process is to vet those out," she says. "What I'd still like to see from them is quite a bit more transparency." ®

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.