0-day Exploit Database

We posted about a vulnerability database yesterday, so it's only natural to talk about an exploit database today. Specifically, eEye announced a 0-day Exploit Database. This sounds like an interesting idea - a central repository of information about 0-day exploits.

Looking at the site, we can see that the number of days a vulnerability remains unpatched to the particular 0-day exploit is displayed prominently on the page. While this number of days field is one point of data, some more additional data would be very helpful.

For example, in the case of the Word MDropper exploit, I'd like to know which files and/or registry key values were modified. To be fair, I googled the string Mdropper, which turned up this Symantec report. While this report brought me closer to figuring out the changes, the Symantec write-up on Mdropper pointed to yet another write-up on another backdoor called Ginwui, which may or may not be related to Mdropper. Since the report on Ginwui lists registry key values that were modified by that exploit, can I infer that those same changes occur when Mdropper is installed on a host?

If you are malware researcher, you have probably come across this exact frustrating situation before. I don't exactly have a solution to address this type of problem. The obvious thing would be to have different exploit database producers coordinate to share the data, so that the data can be as complete as possible. The MITRE Common Malware Enumeration (CME) initiative is working on coordinating anti-virus vendors, which should help with this issue. Failing that level of coordination, each database source provider will need to be as complete and consistent as possible.