Security Firm Automates Attack Code Generation

By
Matthew Broersma
August 9, 2007, 3:30 PM ET
2 min read

— -- Security firm Immunity has released a tool aimed at largely automating the process of putting together security exploits, a move some believe will lead to a dramatic rise in the number of "zero-day" exploits making the rounds.

Immunity, a security firm known for its aggressive approach to hunting down and publicizing zero-day security flaws, released its free Debugger tool at the Defcon hacker conference in Las Vegas last week, and the tool has already begun making waves.

At issue is the growing prevalence of zero-day flaws, that is, known bugs that haven't yet been patched. In a relatively recent practice, for instance, malicious hackers have begun circulating zero-day Windows flaws shortly after Microsoft's monthly patch cycle, to allow the widest gap before a patch appears.

Such bugs become drastically more serious when an exploit has been created to take advantage of them, but until now the process of writing an exploit required plenty of elbow-grease. Security experts tend to either write exploits manually or write their own tools automating the task.

Immunity said Debugger, which is aimed at security professionals, could halve the time it takes to write an exploit.

The product took nearly a year to develop, and combines command-line and graphical features, Immunity said. All its features -- the debugging API, the graphing engine and the graphical API -- are accessible from the Python scripting engine, Immunity said.

"So we put everything together and developed something we feel very comfortable using," the company said in a security mailing list message announcing Debugger.

Debugger includes a number of example scripts and users can write their own scripts. The software as well as monthly updates will be provided for free.

Immunity's reasoning is that it's the bugs themselves that are the problem, not the discovery and disclosure of those bugs, said chief executive Dave Aitel.

But other security firms have taken a more conservative stance, arguing that from a practical point of view, the disclosure of more zero-day bugs and their accompanying exploits only exacerbates the security arms race.