eEye's Marc Maiffret: Threat 'Motifs' Make Security Confusing
In a recent interview with BetaNews, the chief technology officer of the company that discovered history's most expensive worm -- the "Code Red" worm that exploited a wide-open buffer overflow vulnerability in Microsoft's IIS -- stated he believes when security companies give multiple dramatic names to known threats, rather than accept a single, common identifier, the result simply confuses users.
The naming of Code Red, eEye Chief Technology Officer Mark Maiffret told BetaNews, was originally supposed to be a "one-off," "part of our normal course of business." By contrast, among today's anti-virus vendors, Maiffret believes there's too much fighting over who gets to christen the latest virus, worm, or zero-day exploit for the press.
"The reality is, between F-Secure, McAfee, Sophos, Symantec, all they end up doing is making things more confusing for users because they're all using different names," Maiffret said. "In the vulnerability world, we have CVEs [Common Vulnerabilities and Exposures] as a way to know that we're all talking about the same vulnerability regardless of what we might have named it in our product. In the anti-virus world, there's not really anything like that."
[UPDATE: Later, Marc Maiffret told us he didn't mean to imply that there is no standards group among security vendors. He referred us to the Mitre organization, which maintains the Common Malware Enumeration list, as a key example.]
Last week, security firm F-Secure was credited with dubbing the latest and greatest e-mail threat the "Storm Worm," though the nature of that exploit is, by now, something that IT managers have seen a thousand times before, over the last six years. Meanwhile, eEye itself dubbed an unpatched exploit of Symantec Antivirus "Big Yellow," dubbing it "a new class of malware," months after its initial discovery, and after a CVE had already been created for it.
"Some of these people in the anti-virus world, the main, big players and the sub-level big players like the F-Secures and Sophos, they really aren't looking to innovate or do much of anything different, because they're all making really good money, they keep getting all their renewals, and the way they compete with each other, they're okay with doing that, so they're okay with fighting over who's naming it, and everybody having different names and stuff. At the end of the day, they're doing a lot of that and turning a blind eye to what users are actually asking for."
After the threat from Code Red subsided, and the damage assessment ended up being less than had been feared, debates ensued over whether the publicity surrounding not only the worm but the anatomy of the flaw it exploited, led to more malicious users taking advantage of the worm than would have otherwise.
As The Register reported in 2001, "Had they [eEye] not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems."
We asked Maiffret, in the case of ethical dilemmas such as this one, whose interests does eEye answer to: those of the software vendors such as Microsoft who may prefer the details of exploits be kept confidential, or to the general public to make them more aware of the danger?
"We definitely don't answer to the software vendors," Maiffret responded. "The people that we care about are the IT [technicians] and consumers.
"Throughout 2006...there's definitely people that have misused the word, like 'zero-day,' the vulnerability that we found with Symantec, [in which] they put out a patch, and six months later, finally a piece of malware comes out. In that case, it's definitely not a zero-day, and it's just somebody that's eventually decided, 'Hey, I'm going to write something malicious for this."'
The real problem Microsoft and others must face, Maiffret added, is that it has become too easy for malicious users to infer the nature of an exploit not from the security advisory that first publicizes it, but from their reverse-engineering of the patch for that exploit, even without the advance publicity.
"The tools today on doing patch reverse-engineering and analysis, especially driven because of Microsoft and 'Patch Tuesday,"' he commented, "make it so easy to identify, just from the patch, what the vulnerability is within the patch, to figure it out and write the exploit, regardless of anything that eEye or anybody else would ever say."
Last year, Maiffret reported, eEye's Zero-Day Tracker page listed about 20 cases of open and exploitable flaws, mainly in Microsoft software, some of which took as much as three months to patch, and others which remained unpatched at the end of the year. "There's still the 'dummy' bad-guys, if you will, that just ride coattails," Maiffret said, referring to those who simply wait for security firms to post the advisories, and race against one another to produce active exploits. In those cases, malicious users rely on expensive and exhaustive research by Microsoft, eEye, and other legitimate firms.
However, Maiffret warned, there's a cottage industry emerging in the creation and distribution of exploits, perhaps as lucrative for malicious users as security research is for researchers.
"There's a lot more now that's happening where...there's a whole underground market of selling these things, where there's a value - $500, or something like that. For example, if you have an exploit for Vista, it's worth over $25,000. Things like that have driven [this business] where there are smart people who look the other way of their morals, and I think that's a trend that's going to continue to increase."
Independent researchers have become exhausted, Maiffret said, after working with Microsoft and other software publishers for months - sometimes years - to aid in the correction of a serious flaw. Only certain firms like eEye, he added, have the...will, to avoid another phrase, to persist with Microsoft and get results. "Because it's a business," he said, "it means there's a lot of people who are really, really good at it, by virtue of the fact that there's a good amount of money to be made on doing those things in the underground.
"In 2006, we probably had at least three or four cases of independent researchers who tried to report a vulnerability from Microsoft and tried to work with them, and Microsoft totally scoffed them off," eEye's Maiffret added. "Luckily these guys e-mailed us...and we were able to convince them to give it another shot. 'We'd love to help you report it to Microsoft, because we have a bigger stick with them...' We're able to work with these three or four different guys and actually get Microsoft to wake up and realize their vulnerability is important, just because it's some kid who's 15 years old in Oklahoma doesn't mean his vulnerability is any less important than an eEye-related [one]."
Maiffret praised the work of some security engineers who work to produce patches for third-party software when the original manufacturers cannot. "We never really advertised that we’re a go-between, but when somebody like that comes to us and is looking for help, then by all means, we’ll do whatever we can," Maiffret said, "because we have customers at the end of the day, and we’d much rather help facilitate these people talking to Microsoft or whoever, rather than just posting on a mailing list. It doesn’t do anybody any good to just post something without a patch."