ExploitHub: NSS Labs' radical way to check for vulnerabilities

Wouldn't using actual exploit code be the best way to determine if your systems are vulnerable? NSS Labs thinks so. Learn how they are making that possible.

Wouldn't using actual exploit code be the best way to determine if your systems are vulnerable? NSS Labs thinks so. Learn how they are making that possible.


To thoroughly vet an application, which method would you trust? Running tests in the lab or subjecting the product to the foibles of the Internet? Surviving the real deal seems like the better way, wouldn't you agree?

Awhile back when doing research for this article, I ran across a company called NSS Labs that strives to do just that. One of their procedures is to install the anti-malware application under test on a computer. Then visit actual malicious web sites, recording if and how the anti-malware handles the threat.

To insure good results, visiting a variety of malicious web sites multiple times is required. So NSS Labs has automated this process, with the test running around the clock for several days. To that point, Rick Moy, president of NSS Labs mentions:

"If you're not testing like the bad guys, what's the point? We go out to the live Internet and find out what is circulating on malicious campaigns in real time."

ExploitHub, the next step

NSS Labs has taken realistic testing one step further by creating ExploitHub. A system where actual malware is bought from exploit code developers and sold to security professionals to use in their testing. Rick Moy further comments:

"The goal is to close the capabilities gap between the cyber-criminals and white hats, by enabling defenders to perform more comprehensive testing of their defenses."

As I alluded to in the title, ExploitHub seems like a radical idea. Still, qualified experts seem to think it has merit. HD Moore, the creator of Metasploit has this to say:

"The NSS approach sounds like a great way for exploit developers to profit from their work and an excellent source of useful tools for penetration testers everywhere. Since they are only dealing with exploits for which vulnerability details are already available, it's less about safeguarding sensitive information and more about creating a market for exploit tools."

Rick Moy is quick to reiterate what HD Moore mentioned. Only non-zero-day malware will be part of ExploitHub. Besides, why bother testing a zero-day exploit that does not have a solution?

Benefits of ExploitHub

NSS Labs offers the following arguments on why ExploitHub is a good solution:

  • Improves data security by bolstering testing capabilities.
  • Levels the playing field by giving security professionals more resources.
  • Creates an economically-sustainable ecosystem for ongoing vulnerability testing.
  • Advances security product development, deployment, and testing.


As a writer about IT security, I had more than a few questions. Rick Moy has graciously answered my questions before. So, I had no doubt that he would once again. So here goes.

TechRepublic: Earlier in this article, I mentioned that you use a unique approach when it comes to testing anti-malware applications. Could you please give us your perspective on why it's different? Rick Moy: Simply put, our clients want to know where the holes in their defenses are - so they can make informed purchases and address any residual risk. By testing 24x7 using live malware on the Internet we're able to measure the proactive and reactive coverage of security products. TechRepublic: You seem to be the only company following this path. What advantages does it provide your customers? Rick Moy: Our customers tend to take data security very seriously and are not just looking to check a box. They are seeking actionable data to reduce their risk of infection. Our information services allow them to identify which products fit their asset profiles the best, determine whether patching is needed, model defense in depth, and ensure they're not overpaying for security, and even justify projects to management. TechRepublic: ExploitHub is being called the "App Store for Exploits". Is that a fair assessment? Exactly what are you trying to accomplish with ExploitHub? Rick Moy: We created ExploitHub as a marketplace, and with any marketplace, the goal is to accelerate commerce between many buyers and sellers. We recognized that single-company solutions were not adequately addressing the need. So, we are giving a voice and commercial channel to hundreds of researchers to sell their works. This makes more content available and affordable to users who need it most. TechRepublic: It seems that ExploitHub is an extension of your philosophy about using real-world malcode to test anti-malware applications. Is that how you see it? Rick Moy: Yes. Everything we are doing is about evangelizing real-world testing for the purpose of improving security. Whether we test in our lab or provide tools to end-users to test themselves, it must be real. We believe, if you're not testing like the bad guys, with the gloves off, what's the point? TechRepublic: I don't understand how you will go about buying exploits and selling them. It's almost like you are commercializing malcode. Rick Moy: We're not the first here. Selling exploits has been a legitimate business for several years now; e.g., companies that make pen testing tools. But, right now, the supply is constricted. We're really just optimizing and legitimizing the commercial process so more content can be delivered to people who need it.

For more details on how the marketing process works, please refer to this page on ExploitHub.com.

TechRepublic: What do other security researchers think about ExploitHub? I've read there is some apprehension about exploits getting into the wrong hands. Rick Moy: These exploits are already in the wrong hands and actively circulating on the net. And the good guys who are trying to defend their networks have but a fraction of them. This is typical of the asymmetrical war we're fighting. We need to level the playing field. That said, we are striving to limit access to legitimate and identifiable security professionals. TechRepublic: I have read that your products will integrate with the Metasploit Framework. How does that work? Rick Moy: The objective is to make the user experience easy, automatic, and trustworthy. Exploits will be submitted to the marketplace coded to run on the Metasploit framework. Users will also be able to easily shop in the marketplace using the results of their scans, and content will be downloaded directly into MSF. TechRepublic: ExploitHub seems like a unique way to test vulnerabilities. Do you have any concerns about the approach due to it being somewhat unorthodox? Rick Moy: When something isn't working, you need to find another way. Today, practitioners are not able to find all the known holes in their network, so we must innovate a new way. The app-store model has several successful examples of applying market dynamics to solve a seemingly large, intractable problem. Ebay, Craigslist, the iPod App Store, Android Market, etc.

Final thoughts

I find ExploitHub an interesting concept and it seems to be a win-win situation. Both exploit developers and security researchers stand to gain by using ExploitHub. Do you agree?