Underground hackers are hawking zero-day exploits for Microsoft’s new Windows Vista operating system at $50,000 a pop, according to computer security researchers at Trend Micro. The Windows Vista exploit–which has not been independently verified–was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the Tokyo-based anti-virus vendor. In an interview with eWEEK, Trend Micro’s chief technology officer, Raimund Genes, said prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range, depending on the popularity of the software and the reliability of the attack code.
This feels kind of bogus to me. I’m sure there are lots of people trading Windows exploits on the Internet, but who would pay $50,000 for such an exploit? And if there were people paying $50,000 for Windows exploits, I would expect them to be extremely nervous about being caught by law enforcement agencies. Which I expect would cause them to shun online auctions, which by their nature involve exposing your activities to a large number of other people.
I also don’t get how the mechanics of some of these transactions would work. Suppose I want to get a fake drivers license, which the story reports costs about $150. Do they ship it to my home address? Wouldn’t that just be begging for the feds to set themselves up as fake-ID merchants?
I’m particularly skeptical because there are so few specifics about the site. No mention of who operates it, how many participants it includes, how long it’s been in operation, whether law enforcement is aware of it, etc. Although I can understand them wanting to withhold super-specific details to protect their sources, I’d be a lot more inclined to believe this story if it had a bit more meat on the bones.
So am I way off base, or is this an urban legend being passed off as a news story?