FREEMAN - The Perils of Abandonware

“What started out as a simple ‘what-if?’ activity, quite literally set-up from the back rows of a talk at Blackhat Europe in 2015, soon turned into a long-term data collection and analysis project. I cannot overstate the surprise felt when we first looked at the data collected. The sheer volume of apparent users of an abandoned piece of software made us check, and re-check the data. Especially because we already knew some of the implications of what we were seeing.” Andy Settle, Head of Special Investigations.

The Risks of Abandonware

Although usually a video gaming term, “abandonware” accurately reflects the use of software that has come to its end-of-life but, for a variety of reasons, is still in use. Reliance upon the convenience of automated updates have resulted in a complacency or false sense of security that can easily lead one to fail to appreciate the risks that come with using "end-of-life'd” software".

Who is at Risk?

We identified previously unknown risks and threats that accompany a specific piece of abandonware commonly used by the security research community

Armed with the facts uncovered by this research, it is easy to imagine a scenario where ‘security researchers’, be they operating in China, Russia, Belarus, Iran, Ukraine, Iraq and North Korea, or even in South Korea, USA, Germany, UK, France, Canada or Finland, are compromised via the vulnerabilities that come with using such abandonware. Furthermore, regardless of whether such “security researchers” work for anti-virus companies, are malware authors themselves, or are developers of offensive capabilities, all of them are likely facing the same threats posed by their abandonware use and yet are totally unaware of it.

“The fact that we knew we were looking at data collected from the broader ‘security research’ community and knowing their locations had us thinking about plausible scenarios. It was, and still is reasonable to imagine a scenario where a malware author would be able to gain access to the infrastructure operated by an anti-virus vendor, where a foreign intelligence service would be able to access and control assets inside an international IT manufacturer or organised crime within a national Law Enforcement Agency.” Andy Settle, Head of Special Investigations.

Forcepoint actively chose to ‘sinkhole’ a lapsed domain. Consequently, the threats identified and discussed in this report will now only be theoretical. Furthermore, as a result of this ‘sinkholing’, Special Investigations were able to analyse the available data and highlight a number of critical security issues and vulnerabilities. The findings presented in this report also highlight a number of general, but equally important issues.

“Protecting the thousands of users of OllyDBG, an old 'favorite' within the security research community, by sinkholing a domain, was only the beginning. We knew that by collecting data for a period of time, relating to the use of this commonly used reverse engineering tool, would enable us to develop greater insight that we could hopefully share. As simple as it sounds, if there is one thing that strikes home, it is: ‘If you don’t use it, then un-install it!” Andy Settle, Head of Special Investigations.

Download Link

The FREEMAN whitepaper can be downloaded now.

https://www.forcepoint.com/sites/default/files/resources/files/report_forcepoint_security_labs_freeman_abandonware_en_0.pdf