One would assume that popular sources for zero day vulnerabilities+Poc’s such as Full-Disclosure, Bugtraq or Milw0rm are the primary sources for obtaining responsibly or irresponsibly released flaws. They’d be wrong. The black market for zero day vulnerabilities and the concept of over-the-counter (OTC) trade of zero day flaws, has been gradually developing itself through the last couple of years.
Let’s take a brief retrospective of the black market for zero day vulnerabilities, and review a recently launched underground shop for zero day vulnerabilities, currently offering 15 zero day vulnerabilities affecting popular web applications in order to execute successful XSS or SQL injection attacks, with prices ranging from $10 to $300.
Back in 2005, a bid for a zero day vulnerability affecting Microsoft’s Office Excel was posted on Ebay prompting mass media outbreak on the potential of rewarding security researchers for their research. It didn’t take long before a zero day vulnerabilities cash bubble started to form, with legitimate sellers and cybercriminals over hyping the seriousness of their discoveries. Around December, 2005, the first publicly disclosed case of underground market trade of zero day vulnerabilities took place when it became evident that the the infamous Windows Metafile vulnerability (WMF vulnerability) has been sold for $4,000 :
“It seems most likely that the vulnerability was detected by an unnamed person around 1st December 2005, give or take a few days. It took a few days for the exploit enabling random code to be executed on the victim machine to be developed. Around the middle of December, this exploit could be bought from a number of specialized sites. It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000. Interestingly, the groups don’t seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public.”
Interestingly, the authors of the then popular WebAttacker DIY web exploitation kit started conducting basic market research on the potential of this market, by featuring a survey asking their visits how much would they be willing to pay for a zero day vulnerability. The results out of 155 votes indicated that 40% of the potential buyers were willing to pay between $100 and $300, with 14.19% answering that they code their own zero day exploits and another 17% stating that they obtain them for free.
It didn’t take long before the underground market model materialized in the face of the International Exploits Shop, among the first underground offerings of a web malware exploitation kit featuring a multitude of client-side vulnerabilities, next to two zero day flaws back in 2006. And whereas the shop quickly disappeared, the concept always remained there.
In times when legitimate online auctions for zero day vulnerabilities are admitting that the market model they’ve introduced is far ahead of its time, their underground alternatives are thriving. Launched in early August, this web based shop is the latest attempt to utilize a black market model for zero day vulnerabilities.
Here’s a translated introduction to the exploits shop :
“We present you the private exploits shop targeting PHP-applications (Content Management Systems, Guest books, forums, chat rooms, statistics and any other scripts). Our store will be constantly updated so you can expect to find the exploit you were looking for at any given time. If it doesn’t you will still be able to request such a vulnerability for a web application of your choice, and our team will provide with you the necessary PoC’s and tools to start using it. All exploits are written solely to our command, meaning you’re not going to find them anywhere else on the Internet.
Each exploit is accompanied by information on the approximate number of sites running the vulnerable application in Google, the language the exploit is written in, and price. We also have a forum where you can place an order, discuss, complain, express an opinion or ask a question about the exploit purchased. All exploits have a user-friendly Web interface, possibly in the future we’ll be releasing win32 console exploits. There are also technical support, patiently waiting for requests from users who have a problem using the exploit. We also conduct audits, security services, tests for entry (this service will be available by the end of August this year).