Most computer users understand the concept of security flaws in common desktop software such as media players and instant message clients, but the same users often are surprised to learn that the very software tools attackers use to break into networks and computers typically are riddled with their own hidden security holes. Indeed, bugs that reside in attack software of the sort sold to criminals are extremely valuable to law enforcement officials and so-called “white hat” hackers, who can leverage these weaknesses to spy on the attackers or interfere with their day-to-day operations.
Last week, French security researchers announced they had discovered a slew of vulnerabilities in several widely used “exploit packs,” stealthy tool kits designed to be stitched into hacked and malicious sites. The kits — sold in the underground for hundreds of dollars and marketed under brands such as Crimepack, Eleonore, and iPack — probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to quietly install malicious software.
Speaking at the Syscan security conference in Singapore, Laurent Oudot, founder of Paris-based TEHTRI Security, released security advisories broadly outlining more than a dozen remotely exploitable flaws in Eleonore and other exploit packs. According to TEHTRI, some of the bugs would allow attackers to view internal data stored by those kits, while others could let an attacker seize control over sites retrofitted with one of these exploit packs.
“It’s time to have strike-back capabilities for real, and to have alternative and innovative solutions against those security issues,” Oudot wrote in a posting to the Bugtraq security mailing list.