Security researchers at Check Point have developed a technique to identify the developers of the exploits for software vulnerabilities, including zero-day exploits which are highly prized by malware authors.
By recognizing the unique “hand-writing” of individual exploit developers, which is as identifiable as a fingerprint, security researchers were able to:
* Detect the presence of exploits written by these exploit developers in specific malware families.
* Detect additional exploits written by the same developer, as they share a common “fingerprint”. This enabled the detection of zero-day exploits written by these developers.
* Block all malware families that use a given exploit from a developer that has been studied and fingerprinted.
For new malware to be created, vulnerabilities have to be found in software for which a patch or fix does not exist (known as a zero-day vulnerability) or has not yet been widely applied.
Specialist “exploit developers” search for these software vulnerabilities, write code to take advantage of them, and then sell their code to the highest bidders, who then build malware based on it.
Check Point’s researchers found a method of identifying and tracking exploit developers, with the aim of helping to reduce the flow of new zero-day and critical exploits.
They found unique identifiers that could be associated with specific exploit developers by analysing code, and looking for specific characteristics in the way code was written – in the same way that a graphologist analyses handwriting, or a fingerprint specialist examines in prints from a crime scene.
Using these analysis methods, Check Point researchers uncovered the work of one of the most active and prevalent exploit developers for the Windows Kernel, called “Volodya”, also known as “BuggiCorp”.
Volodya sells exploits for both zero-day and critical vulnerabilities.
Check Point Research found Volodya had been active at least since 2015 and was able to track down 11 different exploits they had written for the Windows Kernel.
Some of customers include popular crimeware like Dreambot and Magniber, as well as nation-state malware families such as Turla and APT28, which are commonly linked to Russia.
The second exploit developer and seller that Check Point researchers analysed and fingerprinted is known as “PlayBit” or “luxor2008”.
This developer only sells exploits for critical vulnerabilities.
Check Point researchers were able to find five different exploits that were developed by PlayBit and sold to prominent crimeware groups such as REvil and Maze. Both are known for developing notorious ransomware.
Itay Cohen, malware researcher at Check Point, says: “This research provides rare insight into how the black market for exploits works.
“When Check Point finds a vulnerability, we demonstrate its severity, report it to the appropriate vendor, and make sure it’s patched, so it doesn’t pose a threat.
“However, for individuals trading these exploits, it’s a completely different story. For them, finding the vulnerability is just the beginning. They need to reliably exploit it on as many versions of software and platforms as possible, in order to monetise it to a customer’s satisfaction.
“This research provides insight into how that is achieved, and the buyers in this market, which often include nation-state actors. We believe that this research methodology can be used to identify additional exploit writers.”