Image: ZDNet
A security researcher launched this month a web portal that lists vulnerabilities in the code of common malware strains. The researcher hopes other security professionals will use the bugs to crash, disable, and uninstall malware on infected hosts as part of incident response operations.
Created and launched by bug hunter John Page, the new MalVuln portal is available at malvuln.com.
The site itself is your typical vulnerability disclosure portal. It lists the software’s name (in this case, the malware’s name), describes the vulnerability in technical detail, and provides proof-of-concept (PoC) exploit code so others can reproduce the issue.
Page tells ZDNet he created the site out of boredom during the recent COVID-19 lockdown.
“It’s out of the norm, there’s never been a dedicated website for this type of thing,” the researcher told ZDNet in an email interview.
Currently, MalVuln lists 45 security flaws. Some are for current threats like Phorpiex (Trik) but also for old malware strains like Bayrob.
Page said all the vulnerabilities listed on MalVuln right now are of his discovery.
“There have been no outside submissions, and I am not currently accepting them,” Page said. However, a PGP key is listed on the site, and the plan is to allow others to submit their findings sometime in the future.
Controversy brewing?
But the site also touches on a sensitive topic in the cyber-security industry. For decades, security researchers have been secretly hacking back against malware operators.
Just like malware sometimes uses bugs in legitimate apps to infiltrate systems, security firms have also used bugs in malware code to infiltrate the attacker’s infrastructure.
Security firms will often hack a malware’s command and control server to retrieve data about victims, or they’ll use bugs in malware to disable and remove it from infected systems.
This practice has been a closely guarded secret, primarily due to the legal ramifications that come with the practice of “hacking back,” and the benefits that come with secretly abusing malware bugs to track threat actors.
For example, for years, security firm Fox-IT used a bug in Cobalt Strike, a legitimate tool abused by cybercrime gangs, to track the location of possible malware command and control servers. The company disclosed that it had done so only after the bug was reported and fixed in 2019.
It is so with no wonder that when a website like MalVuln launched earlier this month, there were quite a few grumblings about how MalVuln was giving away these closely guarded secrets and indirectly helping malware operators by pointing out bugs in their code, effectively taking away valuable tools from security firms and incident responders.
But Page told ZDNet that he doesn’t care about this aspect.
“I do my own thing and I don’t respond. These are usually the same people who think vulnerabilities should not be public because it helps attackers,” he said.
And Page is not the only one sharing this opinion, with other security researchers demanding more openness about this practice and more sharing of such details in the cyber-security community.
Im very happy someone has dome this. Mamy times when discussing attacking malware, c2s, etc… people lose their shit or shut up and refuse to talk about it. I think this is a big move forward for infosec as a whole, even the dreaded “hacker turf war” comes of it https://t.co/XQh5fHVYOE
— Célia Catalbas (@MaraAnn333) January 11, 2021
Either way, the topic will remain controversial, but MalVuln has touched on a real issue — that malware also contains bugs just as bad as regular software.
“Lots of self-hating malware out there,” Page said, promising to release more malware bugs in the future.