Adam Bannister January 14, 2021 at 14:55 UTC
Updated: January 14, 2021 at 17:59 UTC
A security researcher turns the tide on attackers by exposing high-impact zero-day vulnerabilities in the very malware on which their campaigns are based
A groundbreaking malware vulnerability database has become a surprising addition to the defensive toolkits of security professionals attempting to interrupt, remediate, or match cyberattacks.
Started on January 2nd, Malvuln.com provides exploit code for vulnerabilities in malicious software in the same way as similar websites do VulDB and WhiteSource for benign applications and open source components.
“Malvuln.com is the first website entirely dedicated to researching vulnerabilities in malware itself,” says the website’s “About” page.
“Malware vs. Malware”
While cyber attacks continue to wreak havoc around the world, Malvuln is turning the tide on attackers by exposing highly effective zero-day vulnerabilities in the very malware that underlies their campaigns
The website’s founder and sole operator, security researcher John Page (AKA hyp3rlinx), told The daily sip that the repository “could be useful for incident response teams to clean up malware without touching the machine”.
He also speculates that the documented exploits “could possibly represent a malware-versus-malware situation, who knows”.
In 2019, security researcher Ankit Anubhav demonstrated the impact such a resource could have in the wild. document how a “trivial bug” in Mirai malware was used by “script kiddies and rival threat actors” to “crash each other’s C2″ [command-and-control] Server”.
RECOMMENDED Briefing on browser security: Google and Mozilla lay the foundation for a “post-XSS world”
One threat actor told him that “if a script were created to check when C2 is high and it kept crashing, all Mirai-based botnets would become pretty useless”.
In response to Malvuln.com launching on Twitter this week, Kyle Cucci, a malware expert at Deutsche Bank, said called he “can imagine this being used (very carefully) in IR scenarios” and “by threat actors to drive each other away from infected hosts”.
The independent security researcher “Eduardo B” tweeted: “Imagine persistent malware with rootkit capabilities and you could simply exploit it to crash and / or disable it … or reliably trace its true origin.”
Reversal of the conventional dynamic
Traditional vulnerability repositories warn application users when their systems are vulnerable and provide instructions on how to patch or mitigate those issues – although cybercriminals can benefit too, hence the contentious debate all about public disclosure.
Malvuln.com reverses this dynamic.
Greg Leah, Director of Threat Intelligence at cybersecurity firm HYAS, tweeted The project was a “great idea” but warned that it could give malware authors “opportunities to improve the malware that they would otherwise not have”.
Read about the latest news on cybersecurity vulnerabilities
Stacking buffer overflows
Remote stack buffer overflow bugs account for 11 of the 25 malware security bugs documented by Page to date, and these “classic” bugs are potentially the most interesting and powerful, according to Page.
The “reason is obvious,” he said.
Indeed, since the nonprofit OWASP Foundation explains that attackers can “send carefully crafted input to a web application” to exploit buffer overflows and “trick the web application into executing arbitrary code – effectively taking over the machine.”
Page said he started the project because he “got bored of lockdown and fun”.
YOU MIGHT LIKE IT TOO Critical zero-day RCE in Microsoft Office 365 awaits third security patch