Vista Zero-Day Exploit For Sale

Snakepit Bit writes "Underground hackers are hawking a zero-day exploit for Windows Vista at $50,000 a pop, according to computer security researchers at Trend Micro. The Windows Vista exploit, which has not been independently verified, was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the anti-virus vendor. Prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range. Bots and Trojan downloaders that typically hijack Windows machines for use in botnets were being sold for about $5,000." From the article: "According to [Trend Micro CTO Raimund] Genes, the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

There's a patch available

Windows XP.

Ah...

'I think the malware industry is making more money than the anti-malware industry,' Genes said.
Thank you, Captain Obvious.
*salute*

Re:Ah...

Even assuming the cost of damages from malware exceeds the money spent on anti-malware doesnt mean the damages are ending up in someones pocket. If a company is crippled for days it may cost them millions but the person responsible for the damages doesnt necessarily get anything. Just as with spam. If you send out 100 million spam emails and make $10,000 the loss in productivity likely exceeds $10,000.

Auctions

Where are these online auctions for this information? Or does that information come with the same spam I get hawking "3 million email addresses for $1000!" I'd love to know what software they use to host such a site. I expect it's probably more secure than the pentagon's systems.

Re:Auctions

No, it IS the Pentagon's system!

closed systems

this seems a natural result of closed-source software companies

I think it is a good thing: it goes to show that having closed systems puts information access at a premium instead of service and real, tangible results for your customers. Open source systems don't have this problem (they have others, 'bot' not this one).

Re:closed systems

please, this has nothing to do with closed systems and open systems. This has more to do with people wanting compromised machines to do their bidding, be it spam, ddos attacks, get personal info etc. These people obviously make a lot of money, so obviously they are willing to pony up thousands of dollars for a flaw that might give them access to hack millions of computers. If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices. (unless ofcourse it is harder to hack them, then prices would higher)

Re:closed systems

No, you're wrong, actually. They are much better off pwning eleventy billion little computers, because they are way harder (or impossible?) to effectively blacklist, filter and otherwise protect from.

A big server with lots of bandwidth will stand out like a honeymooner's dick (thanks Billy Birmingham) and be rapidly blacklisted. See: RBL, ORBS, etc

Re:closed systems

Ill bite.

1. Linux servers do not have a higher marketshare than windows servers, check your facts.
2. Servers be linux or windows, typically have people that are more computer literate, hence are alrady better protected, monitored, and locked away.
3. millions of unmonitored desktops, with careless users, with broadband connections will always be a better target.

Price increasing

So it's getting harder? Or is that just wishful thinking?

l33t hax0r

the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

Sounds like I need to switch jobs. Finally, a job where discovering Windows bugs will pay off instead of just generating more work for me.

Re:l33t hax0r

Finding the bug is one thing. Being able to write a program that will successfully exploit it on a consistent basis is another.

Please define "zero-day"

Could the Slashdot editors please define the term "zero-day exploit"? I was under the---apparently mistaken---impression that it meant an exploit that was released on or before the day that a given piece of software was released.

Re:Please define "zero-day"

No, it's an exploit released before there's a patch that fixes the hole the exploit exploits.

zero-day warez are cracked (i.e. DRM removed) versions of programs available on the same day or before the commercial versions are released.

Re:Please define "zero-day"

The media idiots and security vendors bastardized this term. 0-day originally meant an vulnerability unknown to the vendor hence there is no patch or work-around for it.

Then security vendors tried to use it to mean any vulnerability without a patch, known or unknown because then they could rightly claim that their software mitigated a 0-day vulnerability, which really meant thier software could mitigate a known vulnerability. That's where the media idiots jumped in because 0-day sound cool and scary.

There is no point in trying to correct them. That ship has sailed. Just like "hacker" now means criminal when the original definition was a badge of honor.

Now that the vulnerability is known, it is just an unpatched vulnerability.

What do Linux virii cost?

Or are they open source..? ;)

Economy

This is just another example of how M$ is good for the economy. All you anti-capitalist, libertarian nerds can sit down and shup up, now.

Kidding, of course.

Re:Economy

I was under the impression that libertarians were the embodiment of capitalism.

Credit card numbers?

The auction marketplace is also selling driver's licenses for $150, birth certificates for $150, Social Security cards for $100, and credit card numbers with security code and expiration date for between $7 and $25.

I wonder if any idiots actually used their own credit cards to purchase a stolen credit card number?
What a great way to harvest additional numbers!

Well, Duh!

'I think the malware industry is making more money than the anti-malware industry,' Genes said.

Malware is a profit-making industry. Anti-malware is aimed at eliminating profits, not making them. It doesn't take an economic genius to understand the implications.

How many times have /. readers been reminded that companies exist to generate profit for their owners?

Microsoft

If Microsoft really cared about the security of their customers systems, they'd buy those 0-day exploits and release patchs immediately. But like I said, Microsoft would have to care, and I don't see hell freezing over anytime soon.

Oh come on now...

You know the people selling this stuff arent exactly the most ethical folks in the world. Do you think that just maybe they are asking for 30k without any really good exploits to give you for that money?

It isnt smart to assume that there are zero day exploits for Vista available just because some reporter says he heard there is someone who wants to anonymously sell you an exploit he promises is really good. Even if these exploits are real (big if) noone said anything about how big of a security hole we are talking about here.

How about if I tell you that I heard someone offered to sell an Linux exploit of an unknown nature for 50 grand? Should we all run around talking about how Linux is insecure now?

This seems like a journalist trying to come up with something good to write about and slashdot forwarding it on as anti-ms fud.

Re:Oh come on now...

People who pay $50,000 for something aren't afraid to kill you if you lie to them. This especially makes sense if the mafia / SPAM connections are true.

How do these auction sites do business?

The article doesn't have much detail about this "auction-style" marketplace, but I have to wonder, how are people transferring $50,000 between two parties in exchange for such goods? "Underground" would really have to be quite underground for this to be going on without much notice, no?

I also wonder if Trend Micro felt obligated to report this "discovery" to any authorities before they contacted eWeek about it...

 

Yeah, right

... according to computer security researchers at Trend Micro ...

... like Trend Micro doesn't have anything to gain by people thinking there are Vista exploits. Seriously, Norton, McAfee and Trend Micro are all worried that their golden goose may be cooked if Vista is significantly more secure than XP. And I loved the use of the cloak-and-dagger word "infiltrated" to strike further fear into people. This seems to me little more than a sad attempt to remain relevant by an anti-virus vendor.

Hi, welcome to...

0-day-bay, your place for new gadgetries in the world of ScRiPtKidDieS GoNE CoMmErCIal !
Today, we have on offer a few jolly nice samples of the finest goods, what do you think of:
* Evil worm 2 - Dr.Evil himself would promote this one, if he were a real person, but alas: this Evil worm 2 does not come with frickin' lasers on its head. Made in China, this worm can eat away the fumbly firewalls of most present day Windows machines !
All that, at a price of just $30.000 !

* Glasnost x-ploit - Oh my, in the Western world we make the x-ploit, but in Russia - where this lovely piece of software was born - they x-ploit you ! Just like in the old days of Gorbatchov, this Glasnost worm certainly opens ... backdoors ! ha ha !
For just the measle amount of $15.000, you could have your very own Glasnost'ed Windows botnet in no time !

Last but not least, we wouldn't want to forget our bestseller, our hitman, our top product in the fine world of Windows Redecorating Software : Yoghurt Trojan !
Not the milk-product, but you could say it's milky white cream covers most Windows PC's pretty well ! It has no aftertaste like some worms, and definitely likes to morph into different appearances ! It can definitely lighten the spirits of whoever is at the controls and includes a lovely "MAD"-button in case some law enforcement officer decides to peak into your operation : no more evidence, because no more Trojaned PC's survive the Mutually Assured Deletion of this king of kings !
All that, for just $50.000, it's a bargain !

lol

my favorite part was

"an auction-style marketplace infiltrated by the anti-virus vendor"

.

LOL. I'm certainly no hack and found where they were being sold.

Its funny how companies try and make themselves more relevant than they really are....

This is actually very surprising

Looks like someone is in need of really fast cash. If they wanted to maximize their profits they would not reveal their exploits until Vista is on a much larger amount of computers. Otherwise it will only have the chance to affect very few machines before being patched. That is unless they are selling the exploits with err... "full rights" to the highest bidder in that they would not tell anyone else, and the "winner" can sit on the exploit as long as they want before using it for nefarious purposes.

Malware

"I think the malware industry is making more money than the anti-malware industry...."

1) If you consider Microsoft Windows to be malware (I do), then this is self-evident.

2) Even if you don't consider Windows to be malware, just wait until Vista. Microsoft is pushing anti-malware companies into bankruptcy by embedding its own anti-malware sofware (which is only marginally worse than the non-Microsoft counterparts). There may soon be no non-Microsoft anti-malware companies remaining, at which time the only money to be made in that sector is by the criminals. Since the difference between Microsoft's terrible anti-malware attempts and the currently terrible non-Microsoft anti-malware abortions will be negligible, nobody will buy the non-Microsoft stuff anymore. The criminals will have the industry cornered.

Where's the Popularity Argument Now?

Oh, ho ho. All the apologists are quick to argue that, "The only reason the bad guys target Windoze is because it's popular." What bullshit that is.

Vista has what market share now? Less than Mac or Linux I'm sure and everyone knows that it's going to stay that way for years. Yet there's already a market for exploits. What this should tell you is that the value of an exploit it's ability to work, regardless of market share. The bad guys know that M$ security sucks and that the holes they buy today will be good for months if not years to come. No one bothers with GNU/Linux exploits because the GNU/Linux market is fragmented and quick healing. Linux exploits don't take down every distribution but just about every distribution is quick to fix problems. GNU/Linux exploits, relative to Windoze, don't work or last long.

Is it illegal to sell a zero-day exploit?

Hypothetically, let's say you've discovered a vulnerability in a major vendor's software. You reported the vulnerability to them almost a year ago, and they assure you that they're still working on a fix. Would it be illegal in Canada or the US to sell code which shows how to exploit the vulnerability (say on eBay)? How about just going public with it (giving it away... say on Slashdot)?

We Need Vista To Ship & Stay #1...

So I can safely do all my work easier in Mac OSX 10.5 ;-?

How much damage from 'fake' security holes?

I wonder how much damage they could inflict on companies (consumers of Vista as well as MSFT) by making claims about having a zero day exploit? I bet using the right channels someone could get MSFT to spend quite a bit of resources auditing code.

Similar to how millions now have to take off our shoes in the airport b/c ONE guy tried to light his shoes on an airplane.

Legality

Is this legal? It's like someone overhearing a conversation (or perhaps intentionally overhearing it) between two plotting murderers and auctioning it to news corps/potential victims for where it's going to take place. I find it obscene: by all means get some money for your efforts, but computers control serious things - consider a case where Microsoft (or similar) buys the information before the the press, in order to cover up an embarrasing situation. Someone uses it because Systemantic or whoever didn't get to it in time (or couldn't afford to), and bam some critical computer goes down, when a patch could have been deployed first. I'm not impressed.

Actually, this is a zero+1ns exploit

at the beginning there was vista (from where did they get that name?)

SCNR

Carsten

I'll Believe It When It's Confirmed

I had no doubt that there would be flaws found in Vista. No non-trivial software is bug free.

But Vista has a lot of features [wikipedia.org] that makes the inevitable bugs much, much harder to take advantage of.

The single most common attack vector in Windows is IE. Virtually all the malware installed on machines today was likely installed by a drive-by-download caused by one of the many, many holes in IE.

But users running Vista have Protected Mode [msdn.com], which effectively isolates IE and prevents it from doing damage. It's possible that protected mode has a flaw, but judging by how it works I find that unlikely.

In addition, the fact that Vista users aren't running as admin makes flaws that affect the interactive user much, much less dangerous. The ability to take over the entire machine, or even run arbitrary code effectively as the interactive user, are almost non-existent.

I suspect that this is either fraudulent, or it doesn't have the ability to root the box.

The New Economy

In other related news. the only way to get a Nintendo Wii at this time, is to pay 70-120% more than retail on ebay.

wow, my first thought is

this $50,000 incentive will be great for improving security. (since once an exploit has been offered for sale, there are many avenues for that problem to be leaked to general awareness.)

haha

microsoft always stimulates the economy!

But the most important question is...

Where are these Paypal's "donate" buttons?

Is it just me...

...or did anyone else read the summary as "TrendMicro is selling Vista expoits for $50,000 a pop"

This is a stupid joke organized by FSF!!!!

2006/12/15 BadVista.org: FSF launches campaign against Microsoft Vista http://badvista.fsf.org/ [fsf.org]

Capitalism at it's Finest

All of the big companies and the government talk about how much they like capitalism, but then complain about things like this. But when you think about it, it's capitalism working exactly as it's supposed to: The market is assigning a dollar value to exploits.

Microsoft has been very lax in the area of security, enabling a market to evolve around exploiting it's weaknesses. Microsoft got it's self into this position by maintaining a monopoly. Absent a monopoly, M$ would have had to compete on quality and would have been forced, by way of competing, more secure products, to secure it's own systems.

So, they may be able to cheat consumers, influence the US government's regulators, but in the long run they cannot escape market forces.

Hm

$50,000?? That's alot of money to spend in the hope that you'll be given the code promised. I think there may be another possibility. Maybe the seller of this is hoping for just one customer: Microsoft. They don't want these things to be used, and what's $50,000 them anyway?

Re:Why doesn't Microsoft buy those out?

I really don't get it. To me it seems it would be economically wise to buy these out and then fix the bugs.

Why do?

After a user buys a copy of Vista, Microsoft receives no more money from the user.

It would probably be economically wise to spend time in developing another product.

Re:I Bid

I had only bid a deciban [wikipedia.org]. You win.

Re:Patch

It has to do with the population of mods online right now. There is a clear pattern in the modding of the responses to this news item. Partisanship... it seems. I think Mac OsX and Linux will shine brighter over the next few years, as compared to Vista.

Re:Why doesn't Microsoft buy those out?

I really don't get it. To me it seems it would be economically wise to buy these out and then fix the bugs.

1. This could be due to the legal implication

I'm not sure law will look kindly at a company that fund illegal activities to improve their business. And if it comes from a security company, just having your name attached that kind of illegal activity could kill your credibility big time ( like 'they did that to fix the bug, yeah sure like petrol in irak is just a coincidence' whatever true or false that may be )

2. Buying would just drive the prices up, hence increase the prices and therefore maybe get the interest of even bigger player in the field. Logistically expensive venture such as bribes, kidnapping, ... would become profitable.

Re:you can get IT

I'm curious as to whether selling such an exploit would be allowed on Ebay.A++++++++ WOULD BUY AGAIN, OWNED OVER 50,000 noobs!

I doubt it. They do not allow anything that could possibly hurt another person: weapons, Nazi memorabilia, even guides to make weapons, bombs or fireworks are verboten.