HD Moore has a matter-of-fact way of talking that belies his uncanny ability to draw the public eye. In just the past month, the 25-year-old Texan, who started the open source Metasploit Project in 2003, made headlines for promising to release a new bug for the Internet Explorer Web browser each day in July. By the end of July, he was in the news again: releasing a Web-based tool that uses the Google search engine to locate malicious programs.
InfoWorld Senior Editor Paul Roberts caught up with Moore, who is also director of security research at BreakingPoint Systems, to talk about Metasploit, project management, and full disclosure.
Why did you launch Metasploit in the first place?
In 2003 there was ... a doldrum in the security area. A lot of the people who were active publishers of information got jobs or decided to do something else. At the same time, private companies started to hoard security information, so people started saying, "Why should I give this information away when I can sell it to iDefense?" Metasploit was about creating a toolkit and a framework for developing new exploits quickly, allowing people to cut through the boilerplate stuff and develop something new.
How did you grow the project to where it is now?
Knowledge spread mostly by word of mouth. People would say, "That's cool." [Metasploit lead developer] Spoonm ... e-mailed us and said, "Your software sucks." And I was like, "OK, why don't you rewrite it?" So he did. In the exploit community, you've got to appeal to ego. Make it a challenge. That's what they live for. As a project manager, it's my job to say, "OK. How can we do better?" One reason that Metasploit has done so well is that there's no holier-than-thou attitude.
What should enterprise IT staff know about Metasploit?
I'm always wary of recommending Metasploit for use in a company, because your employer may have rules that forbid the use of programs like this. I think it can be a nice way to follow up after a third-party vulnerability assessment. The company you hire should be able to prove that the vulnerabilities they've discovered are real. Not just say, "Oh, I found 20 bugs -- fix them." Tools like Metasploit can verify that, by running an exploit and seeing if it works. Unlike public exploits, you can also be sure that [Metasploit] isn't installing back doors.
You caught heat for releasing a new IE vulnerability every day in July, as if you were aiding and abetting the enemy.
That comes with territory. Any time you supply information to anybody, you've got to supply it to everybody. We saw this a couple years back, where CERT was allowing some customers to purchase vulnerability information in advance, then someone took that information and generated an exploit from it. Partial disclosure never works. You just end up catering to special groups that you deem trustworthy enough to have access. If I make something public, it's not just to a group that I consider trustworthy.
You recently unveiled a Google-based malicious code locator, akin to the one security firm Websense said it developed. What was behind that?
Websense made [searchable malicious code] sound like a massive risk, but every example we found using Google, you could get anywhere else. Some of these were really old archives that were posted on public mailing lists. But there were some interesting examples. We did a search for any executable and downloaded around 400GB of binaries. There were around 2,300 samples and 125 matched a known [malware] signature. Around 50 or 100 were malware that was not detected by anti-virus software.
In recent months, we've seen a number of undiscovered (zero day) exploits for Word, Excel, and Powerpoint. What are your thoughts on that trend?
There's definitely a trend toward releasing zero-days. I know of five or six zero-day exploits that are being privately traded right now. These are cases where the vendor is not being told on purpose. You've probably heard of TippingPoint's Zero Day Initiative and the iDefense [now VeriSign] program to buy exploits. Well, there's also a massive group of buyers in back of them that will pay 10 to 15 times as much. We don't know who they are, but the rumor is they're funded by "three letter [acronym]" agencies in the United States.