Shadow Brokers Now Selling Windows Exploits, Antivirus Bypass Tools

0
3

The Shadow Brokers, a group of hackers that have stolen exploits and hacking tools from the National Security Agency (NSA), are now selling some of these tools, which include Windows exploits and antivirus bypass tools, on a website hidden on the ZeroNet network.

According to a message posted by the Shadow Brokers on their website, the entire “Windows Warez” collection is available for 750 Bitcoin ($675,000).

The content of these files is unknown, but the file names provide some insights into what these exploits could be used for.

Windows Warez page on the Shadow Brokers ZeroNet page
Windows Warez page on the Shadow Brokers ZeroNet page (via Jacob Williams)

Of all, the FuzzBunch package appears to contain the most expensive and damaging tools, with an unconfirmed zero-day exploit for the SMB (Server Message Block) protocol, and remote code execution (RCE) exploits for IIS servers, the RDP, RPC, and SMB protocols.

The zero-day package and the RCEs packages are priced each at 250 Bitcoin ($225,000), and the whole FuzzBunch package is sold for 650 Bitcoin ($585,000).

Security software bypass tool included?

Security researcher Jacob Williams has downloaded and analyzed a series of screenshots provided by the Shadow Brokers group. These screenshots allegedly show the output of several tools that are now being sold as part of the Windows Warez collection.

Based on the output of those tools (embedded below), Williams says that in theory, some of these tools should provide the ability to bypass/exploit some antivirus software, such as Avast, Avira, Comodo, Dr.Web, ESET, Kasperksy, McAfee, Microsoft, Panda, Rising Antivirus, Symantec, and Trend Micro.

WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/avast-actions.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/avast-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/avira-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/comodo-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/drweb-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/kaspersky-actions.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/kaspersky-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/mcafee-actions.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/mcafee-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/microsoft-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/nod32-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/panda-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/rising-actions.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/rising-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/symantec-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/trendmicro-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/actions.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/genericPSP.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/genericSafetyHandlers.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/__init__.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/kasperskyES8.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafee85To88.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafee-epo.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafeeISTP.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafeeLib.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafee.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafeeSafetyChecks.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/checkpsp.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp/kaspersky.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp/shared.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp/ver_eleven.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp/ver_nine.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp/ver_six.py

All of these details are unconfirmed, but the group has provided fully-working exploits in the past.

Shadow Brokers history

The Shadow Brokers made their presence felt in August when they released a trove of exploits they claimed to have stolen from the Equation Group, a codename given by security firms to the NSA and its foreign hacking operations.

Along with releasing several freebies, the Shadow Brokers also launched a Bitcoin auction attempting to sell the rest of the exploits (in one package) to the highest bidder.

The exploits released as a free download have been confirmed almost immediately to operate against firewalls made by Cisco, Fortinet, Juniper, and Topsec.

With little to no public interest for their public sale, the Shadow Brokers canceled their auction in October and launched a hidden ZeroNet website in December, through which they started to sell the stolen NSA tools in smaller packages.

Previous Shadow Brokers hacking tools targeted firewalls only

All previously released hacking tools worked only against UNIX-based operating systems. This is the first time the Shadow Brokers have released Windows tools.

The group released their Windows exploits after the US had issued sanctions against 35 Russian individuals it perceived as being behind Russia’s attempts to influence the US Presidential Election through a series of hacks.

There are theories that Russian cyber-intelligence agents are behind the Shadow Brokers, but there are also theories that the CIA or an insider had leaked the NSA hacking tools on purpose.

Recommended for you

Leave a Reply