Home Security 'Abandonware' can also be dangerous, researchers find

Researchers at Forcepoint Security Labs have found that nearly 75,000 users put themselves at risk in a test case they probed using what is called abandonware - in this case, an abandoned and somewhat obscure plugin for a software package that is no longer in development.

The term abandonware is commonly used to refer to legacy game software that has been abandoned by the author but is still loved by the gaming community.

The research was carried out by Andy Settle, Nicholas Griffin and Abel Toro, who are on the company's Special Investigations unit that investigates botnets, advanced persistent threats, and other deep reverse engineering topics.

Their research is titled "The Perils of Abandonware" and was done as part of the The Freeman Report, named after Dr Gordon Freeman, the hero of the science fiction first-person shooter game Half-Life developed by Valve.

It was carried out using a lapsed domain that they had "sinkholed". A sinkhole is a standard DNS server set up to hand out non-routable addresses for all its domains so that any computer using it will fail to get access to the real website. As a result of this methodology, the threats discussed in their report remain theoretical.

While investigating malware, it is common for the Special Investigations unit to work in a virtualised environment and use network capture tools like Wireshark. During one such investigation, they found that requests were being made to a site www.cracklife.com and discovered that this was a due to a program known as OllyDBG being started.

OllyDBG is a 32-bit assembly level analysing debugger for Windows. Written by Oleh Yuschuk in 2000, the source code for this tool was bought between 2004 ad 2008 by the security company Immunity which is headed by Dave Aitel, an ace security pro who has worked for the NSA. Aitel included it in his company's Immunity Debugger.

While there has been some development of a 64-bit variant of OllyDBG and version 2 of the 32-bit version, there have been no updates or bug fixes for version 1 since May 2004. Despite this, OllyDBG is still a popular tool for reverse engineering even though it would fit the description of abandonware.

The functionality of OllyDBG has been extended using plugins, especially after development of the package ceased. One of these is StrongOD, an anti-evasion plugin, used to defeat counter reverse-engineering techniques commonly found in malware and software that includes digital rights management (DRM) and copy-protection techniques.

forcepoint numbers

The researchers found that as per the release notes, the dynamic link library serving as the StrongOD plugin for OllyDBG was last released on 29 October 2012, and was at version VO4.8.872. But the file within the zipped version that they downloaded from the tuts4you.com site had a compile date, time and version number (VO.4.8.892)that was much later. They thus concluded that undocumented changes had been made to the plugin.

The class of person who would use OllyDBG were roughly grouped into malware reverse engineers, defensive researchers, students, academic researchers, malware authors, DRM crackers and offensive researchers. This was a reference point for the research.

The Forcepoint team identified two flaws within the StrongOD plugin, both of which needed network access to be updated and which would give an attacker the ability to execute arbitrary code on a host that was running OllyDBG. The update mechanism operates through a standard initialisation file and thus allows an attacker to store a file in an arbitrary location on the filesystem of a target. OllyDBG users normally also have administrative access on their workstations.

For these flaws to be exploited, the target must accept an update manually. Another hurdle to be overcome is caused by most malware reverse engineers using virtual machines. Hence the ability to execute arbitrary code is reduced as most VMs start with the last clean snapshot.

forcepoint ip spread

The spread of IP addresses found by the Forcepoint team.

Over nine months of using the sinkhole, the researchers captured something like 75,000 unique IP addresses. The number of "call home" messages was 538,000 with the mean number of requests being 96 per hour. The were surprised to see this quantum of requests for an abandoned plugin for an abandoned debugging tool designed for debugging 32-bit software that had reached its end of life more than six years ago with the release of Windows 7.

In many cases, the requests were coming from places which did not raise any eyebrows: Forcepoint, cyber security solution providers, anti-virus vendors, law enforcement agencies, printer manufacturers, network providers, VPN providers, Tor exit nodes and domestic broadband providers.

But there were also requests from many other organisations and while the presence of academic institutions did not raise any eyebrows, there were many that had nothing to do with information technology or cyber security. Other requests came from engineering firms, energy companies, steel manufacturers, car makers, money transfer agencies, medical research institutes, farming associations, frozen fish distributors and even "someone" in Pyongyang.

Analysing the IPs of the requests, it was seen that about three-quarters belonged to China, a country which has about 20% of the world's population. Normalising the geo-location of the IPs by population, it was Belarus that emerged at the top of the list. The IPs were also analysed by language spoken and the number of requests per 100,000 head of population.

forcepoint language ips

The language distribution in the IPs collected during the study.

The data collected showed that most users of StrongOD and OllyDBG work on a 9-to-5 schedule, and the collected data illustrated the daily working practices of Chinese users. This finding indicates that most users are in commercial organisations and that automation is not used by OllyDBG users.

The researchers made the following observations:

Even though the research was theoretical, the act of acquiring the domain cracklife.com and ‘sinkholing’ it, meant that a malicious threat actor had been blocked from compromising security researchers.

Though the risks that came with lapsing of domain registrations were known, they were difficult to manage.

The research showed that no-one is safe from attack. Those most at risk were those who were trying to protect others.

It was necessary to reduce the number of attack interfaces by removing software that was not being used.

The research showed the need to segregate areas of a business infrastructure and underlined that digital signing of updates should be made compulsory. Secure update channels such as TLS should be enforced when downloading updates.

Asked if it possible to extend this kind of research to look at an organisation and check for security issues, Forcepoint's principal security analyst Carl Leonard said the methods used could be extended to other forms of software deployed in organisations.

"Security teams need to be made aware of issues that arise from using the very software they use to analyse malicious code," he added.

As to what kind of software one would look for, Leonard said: "Any software that retrieves its updates from the Web could potentially pose a threat if the infrastructure used to download those updates has expired, lapsed or
got into the hands of those with nefarious intent."

In response to a query whether this kind of research would be use in penetration testing, he said pen-testers could show the perils of abandonware as an entry route into an organisation, an entry route for compromise.

Regarding other possible commercial or non-commercial applications of
this research, if any, Leonard said it highlighted an education point for businesses and consumers. "Ensure that you are aware of the abandonware running on your systems and be aware of the risk that it may pose."

Hackers (and by this one means software developers, not crackers) enjoy such research, but Leonard did not bite when asked if research of this kind was done for the sheer joy of doing it.

"Forcepoint releases such research to highlight the issues and the risks in today's threat landscape," he replied. "We hope that businesses and consumers alike heed the warnings and put in place systems that can protect themselves from the potential threats of abandonware."

He did not respond directly when asked whether the company had given any thought to extending this kind of research to more common software in the commercial realm. ""We chose to highlight this particular tool as it is used by those defending their organisations from cyber security threats," he responded.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Ransomware attacks on businesses and institutions are now the most common type of malware breach, accounting for 39% of all IT security incidents, and they are still growing.

Criminal ransomware revenues are projected to reach $11.5B by 2019.

With a few simple policies and procedures, plus some cutting-edge endpoint countermeasures, you can effectively protect your business from the ransomware menace.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Popular News




Sponsored News