Security vendor Kaspersky Lab says that it appears two or three Russian hacker squads sold an exploit for the Windows Metafile (WMF) vulnerability that raised alarms in December.

Criminal gangs sold the exploit on specialized sites for US$4000, wrote Alexander Gostev, senior virus analyst at Kaspersky, in a report on virus activity for the last three months of 2005. It appears someone discovered the vulnerability around Dec 1, and exploit code emerged shortly afterward, Gostev wrote.

One of the purchasers of the exploit was involved in the adware and spyware business, Gostev wrote.

The WMF vulnerability was unique since no patch existed when it was publicly detailed, he wrote. Microsoft initially told customers around the end of December to wait for its monthly patch update in January, while security researchers warned the flaw could be used to steal data on infected machines and use those computers to send spam.

Security analysts also endorsed an unofficial patch created by programmer Ilfak Guilfanov. Microsoft ended up issuing a patch ahead of its regular schedule after critics argued the delay was giving hackers more time to work.