Security threats Toolkit

Russian hackers 'sold WMF exploit'

Joris Evers CNET News.com

Published: 03 Feb 2006 09:30 GMT

Competing hacker groups in Russia were peddling the exploit code responsible for the WMF attacks last December for $4,000, according to security company Kaspersky Lab.

"One of the purchasers of the exploit is involved in the criminal adware/spyware business," read a Kaspersky quarterly report released this week. "It seems likely that this was how the exploit became public."

The WMF flaw unsettled security experts after they found that the virus-writing community discovered the vulnerability before they did. A slew of Trojans were written to try and take advantage of the exploit. The British Parliament was attacked by hackers http://news.zdnet.co.uk/internet/security/0,39020375,39248387,00.htm" title="Hackers attacked parliament using WMF exploit">who tried to exploit the WMF flaw.

MessageLabs, an email filtering provider for the government, said last month that targeted emails were sent to various individuals within government departments in an attempt to take control of their computers. The emails contained the exploit code.

A statement on the Kaspersky site said more than a thousand instances of malicious code were detected in a week. "As the vulnerability was present in all versions of Windows, the situation threatened to spiral out of control."

According to Kaspersky, the situation was mitigated by the holiday season, when Internet use was much lighter than normal.

When the corrupt WMF files finally came to the attention of anti-spyware experts, they were traced back to Web sites known to spread adware.

Security companies have lamented the practice by some Web advertisers of paying others to distribute their software. Some of the more unscrupulous among those are in the business of distributing exploits that let them spread adware without the knowledge of computer users.