Hackers writing zero-day malware to order

Hackers are tailoring and selling zero-day malware for specific markets

Russian security company Kaspersky Lab has discovered a worrying phenomenon in the wake of Microsoft's security gaffe over the .wmf exploit at the end of last year, claiming that hackers are tailoring and selling zero-day malware for specific markets.

Kaspersky claims that exploits for the .wmf vulnerability that emerged over Christmas were being developed specifically for the Russian market, away from the eyes of security companies.

"Around the middle of December, this exploit could be bought from a number of specialised sites," the company said.

"It seems that two or three competing hacker groups from Russia were selling this exploit for $4,000. One of the purchasers is involved in the criminal adware/spyware business, and it seems likely that this was how the exploit became public."

A watershed was reached at the end of 2005, according to Kaspersky. There were two critical vulnerabilities in Windows, a month apart, which were publicised before a patch was made available. Both vulnerabilities were exploited by malicious programs almost immediately.

In November, a research group known as 'Computer Terrorism' published a proof of concept exploit for the JavaScript processing function 'window()', which would run on a fully patched version of Internet Explorer.

Microsoft had known about the bug, but had not rated it a priority as it had discovered no serious exploit.

However, Computer Terrorism understood the vulnerability better than Microsoft and tweaked the code to install and execute a file on a victim system without the knowledge or consent of the user.

A week later, exploits surfaced on the internet. "This was the first case in which a Trojan exploited a vulnerability in Windows for which no patch existed, " Kaspersky said.

The situation was repeated in late December when the .wmf exploit surfaced. "It was clear that this was the latest zero-day vulnerability, and Microsoft knew nothing about it," said Kaspersky.

"The most worrying thing is that the virus writing community not only detected this vulnerability before Microsoft, but before any other major company specialising in the identification of vulnerabilities."