One security researcher is turning the tide on attackers by posting high-impact zero-day vulnerabilities in the very malware that underpins their campaigns
A pioneering malware vulnerability database has become a surprise addition to security pros’ defensive toolkits as they seek to disrupt, remediate, or attribute cyber-attacks.
Launched on January 2, Malvuln.com provides exploit code for security flaws in malicious software in the same way that similar sites such as VulDB and WhiteSource do for benign applications and open source components.
“Malvuln.com is the first website exclusively dedicated to the research of security vulnerabilities within malware itself,” reads the site’s ‘About’ page.
‘Malware vs. malware’
As cyber-attacks continue to wreak havoc around the world, Malvuln is turning the tide on attackers by revealing high-impact zero-day vulnerabilities in the very malware that underpins their campaigns
The website’s founder and sole operator, security researcher John Page (AKA hyp3rlinx), tells The Daily Swig that the repository might be “useful for incident response teams to eradicate a malware without touching the machine”.
He also speculates that the documented exploits “may eventually pit a malware vs. malware situation, who knows.”
In 2019, security researcher Ankit Anubhav demonstrated the impact such a resource might have in the wild, documenting how a “trivial bug” in the Mirai malware had been used by “script kiddies and rival threat actors” to “crash each others’ C2 [command-and-control] servers”.
One threat actor told him that “if a script were to be made to check when the C2 is up and crash it continuously, it will make all Mirai-based botnets pretty much useless”.
Responding to the launch of Malvuln.com on Twitter this week, Kyle Cucci, a malware expert at Deutsche Bank, said he “could see this being used (very delicately) in IR scenarios” and “by threat actors to kick each other off infected hosts.”
Independent security researcher ‘Eduardo B’, meanwhile, tweeted: “Imagine a persistent malware with rootkit capabilities and you could simply run an exploit against it to crash and/or disable it...or trace back, reliably, to its true origin.”
Inverting the conventional dynamic
Conventional vulnerability repositories alert application users when their systems are vulnerable and offer instructions on patching or mitigating them – albeit cybercrooks can benefit too, hence the contentious debate around public disclosure.
Malvuln.com inverts that dynamic.
Greg Leah, director of threat Intelligence at cybersecurity firm HYAS, tweeted that the project was a “great idea”, but warned that it could give malware authors “opportunities to improve the malware they would not otherwise have”.
Stack buffer overflows
Remote stack buffer overflow bugs account for 11 of 25 malware security flaws documented by Page so far, and these “classic” bugs are potentially the most interesting and impactful, said Page.
The “reason is obvious”, he said.
Indeed, as the non-profit OWASP Foundation explains, attackers can send “carefully crafted input to a web application” to exploit buffer overflows and “cause the web application to execute arbitrary code – effectively taking over the machine”.
Page said he started the project because he “got bored in lockdown and for fun”.
YOU MIGHT ALSO LIKE Critical zero-day RCE in Microsoft Office 365 awaits third security patch