By Scott M. Fulton, III
January 24, 2007
In a recent interview with BetaNews, the chief technology officer of the
company that discovered history's most expensive worm -- the "Code Red"
worm that exploited a wide-open buffer overflow vulnerability in
Microsoft's IIS -- stated he believes when security companies give
multiple dramatic names to known threats, rather than accept a single,
common identifier, the result simply confuses users.
The naming of Code Red, eEye Chief Technology Officer Mark Maiffret told
BetaNews, was originally supposed to be a "one-off," "part of our normal
course of business." By contrast, among today's anti-virus vendors,
Maiffret believes there's too much fighting over who gets to christen
the latest virus, worm, or zero-day exploit for the press.
"The reality is, between F-Secure, McAfee, Sophos, Symantec, all they
end up doing is making things more confusing for users because they're
all using different names," Maiffret said. "In the vulnerability world,
we have CVEs [Common Vulnerabilities and Exposures] as a way to know
that we're all talking about the same vulnerability regardless of what
we might have named it in our product. In the anti-virus world, there's
not really anything like that."
Last week, security firm F-Secure was credited with dubbing the latest
and greatest e-mail threat the "Storm Worm," though the nature of that
exploit is, by now, something that IT managers have seen a thousand
times before, over the last six years. Meanwhile, eEye itself dubbed an
unpatched exploit of Symantec Antivirus "Big Yellow," dubbing it "a new
class of malware," months after its initial discovery, and after a CVE
had already been created for it.
"Some of these people in the antivirus world, the main, big players and
the sub-level big players like the F-Secures and Sophos, they really
aren't looking to innovate or do much of anything different, because
they're all making really good money, they keep getting all their
renewals, and the way they compete with each other, they're okay with
doing that, so they're okay with fighting over who's naming it, and
everybody having different names and stuff. At the end of the day,
they're doing a lot of that and turning a blind eye to what users are
actually asking for."
After the threat from Code Red subsided, and the damage assessment ended
up being less than had been feared, debates ensued over whether the
publicity surrounding not only the worm but the anatomy of the flaw it
exploited, led to more malicious users taking advantage of the worm than
would have otherwise.
As The Register reported in 2001 , "Had they [eEye] not made such a
grand public fuss over their .ida hole discovery and their SecureIIS
product's ability to defeat it, it's a safe bet that Code Red would not
have infected thousands of systems."
We asked Maiffret, in the case of ethical dilemmas such as this one,
whose interests does eEye answer to: those of the software vendors such
as Microsoft who may prefer the details of exploits be kept
confidential, or to the general public to make them more aware of the
"We definitely don't answer to the software vendors," Maiffret
responded. "The people that we care about are the IT [technicians] and
"Throughout 2006...there's definitely people that have misused the word,
like 'zero-day,' the vulnerability that we found with Symantec, [in
which] they put out a patch, and six months later, finally a piece of
malware comes out. In that case, it's definitely not a zero-day, and
it's just somebody that's eventually decided, 'Hey, I'm going to write
something malicious for this."'
The real problem Microsoft and others must face, Maiffret added, is that
it has become too easy for malicious users to infer the nature of an
exploit not from the security advisory that first publicizes it, but
from their reverse-engineering of the patch for that exploit, even
without the advance publicity.
"The tools today on doing patch reverse-engineering and analysis,
especially driven because of Microsoft and 'Patch Tuesday,"' he
commented, "make it so easy to identify, just from the patch, what the
vulnerability is within the patch, to figure it out and write the
exploit, regardless of anything that eEye or anybody else would ever
Last year, Maiffret reported, eEye's Zero-Day Tracker page listed about
20 cases of open and exploitable flaws, mainly in Microsoft software,
some of which took as much as three months to patch, and others which
remained unpatched at the end of the year. "There's still the 'dummy'
bad-guys, if you will, that just ride coattails," Maiffret said,
referring to those who simply wait for security firms to post the
advisories, and race against one another to produce active exploits. In
those cases, malicious users rely on expensive and exhaustive research
by Microsoft, eEye, and other legitimate firms.
However, Maiffret warned, there's a cottage industry emerging in the
creation and distribution of exploits, perhaps as lucrative for
malicious users as security research is for researchers.
"There's a lot more now that's happening where...there's a whole
underground market of selling these things, where there's a value -
$500, or something like that. For example, if you have an exploit for
Vista, it's worth over $25,000. Things like that have driven [this
business] where there are smart people who look the other way of their
morals, and I think that's a trend that's going to continue to
Independent researchers have become exhausted, Maiffret said, after
working with Microsoft and other software publishers for months -
sometimes years - to aid in the correction of a serious flaw. Only
certain firms like eEye, he added, have the...will, to avoid another
phrase, to persist with Microsoft and get results. "Because it's a
business," he said, "it means there's a lot of people who are really,
really good at it, by virtue of the fact that there's a good amount of
money to be made on doing those things in the underground.
"In 2006, we probably had at least three or four cases of independent
researchers who tried to report a vulnerability from Microsoft and tried
to work with them, and Microsoft totally scoffed them off," eEye's
Maiffret added. "Luckily these guys e-mailed us...and we were able to
convince them to give it another shot. 'We'd love to help you report it
to Microsoft, because we have a bigger stick with them...' We're able to
work with these three or four different guys and actually get Microsoft
to wake up and realize their vulnerability is important, just because
it's some kid who's 15 years old in Oklahoma doesn't mean his
vulnerability is any less important than an eEye-related [one]."
Maiffret praised the work of some security engineers who work to produce
patches for third-party software when the original manufacturers cannot.
"We never really advertised that were a go-between, but when somebody
like that comes to us and is looking for help, then by all means, well
do whatever we can," Maiffret said, "because we have customers at the
end of the day, and wed much rather help facilitate these people talking
to Microsoft or whoever, rather than just posting on a mailing list. It
doesnt do anybody any good to just post something without a patch."
Subscribe to InfoSec News