Categories: Security

Security Firm Finds Zero-Day Flaw By Turning Users Into Honeypots

When emails leaked from surveillance tools vendor Hacking Team hinted at a critical vulnerability in Microsoft’s Silverlight multimedia player, researchers at security firm Kaspersky Lab wondered if they would be able to find a way to catch an attacker exploiting the flaw.

Turns out they could.

On Jan. 12, Microsoft patched a critical vulnerability in its Silverlight player that Kaspersky was able to pinpoint after it caught an attacker using an exploit. The attack code is thought to be the same exploit that a 30-something Russian bug finder, Vitaliy Toropov, attempted to sell to Hacking Team, as revealed by leaked emails.

Multiple vulnerabilities

“He had sold multiple vulnerabilities to Hacking Team in the past,” Brian Bartholomew, a senior security researcher at Kaspersky Lab, told eWEEK. “We thought it likely that if Hacking Team didn’t buy it, he may have sold it to someone else.”

The fact that Kaspersky could detect the attack is impressive, since the company knew very little about the exploit. By taking two pieces of information—the name of the exploit developer and his focus on a Silverlight vulnerability—Kaspersky researchers found an older Silverlight exploit created by the same developer, reverse-engineered the older attack and used unique strings in the code to developed rules that would likely match a future attack.

“After implementing the detection, we waited, hoping that an APT [advanced persistent threat] group would use it,” the Kaspersky researchers stated in an online writeup of their experiment. “Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it?”

To detect the attack, Kaspersky uploaded its pattern rule to the antivirus software used by millions of customers, essentially turning its user base into a giant neighborhood watch program. When an attack happened, the software blocked the exploit and delivered details of the attack to Kaspersky.

“The software protects them from the attack, but at the same time, there is some valuable intelligence and information on the attack itself, so we do pull back very limited metadata from the attacks,” Bartholomew said.

Security firm Qualys had rated the Silverlight vulnerability as a less-interesting part of Microsoft’s regular Patch Tuesday update, but following Kaspersky’s report on the bug and evidence that the attack is being used in the wild, the company raised its rating of the vulnerability.

The big question for Kaspersky is whether Toropov wrote and sold the exploit.

“Several things make us think it’s one of his exploits, such as the custom error strings,” the company’s researchers stated in their online analysis. “Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though—the world is a bit safer with the discovery and patching of this one.”

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago