eBay for Black Hats?

by on December 16, 2006 · 10 comments

What do y’all think about this? (courtesy of Slashdot)

Underground hackers are hawking zero-day exploits for Microsoft’s new Windows Vista operating system at $50,000 a pop, according to computer security researchers at Trend Micro.

The Windows Vista exploit–which has not been independently verified–was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the Tokyo-based anti-virus vendor.

In an interview with eWEEK, Trend Micro’s chief technology officer, Raimund Genes, said prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range, depending on the popularity of the software and the reliability of the attack code.

This feels kind of bogus to me. I’m sure there are lots of people trading Windows exploits on the Internet, but who would pay $50,000 for such an exploit? And if there were people paying $50,000 for Windows exploits, I would expect them to be extremely nervous about being caught by law enforcement agencies. Which I expect would cause them to shun online auctions, which by their nature involve exposing your activities to a large number of other people.


I also don’t get how the mechanics of some of these transactions would work. Suppose I want to get a fake drivers license, which the story reports costs about $150. Do they ship it to my home address? Wouldn’t that just be begging for the feds to set themselves up as fake-ID merchants?

I’m particularly skeptical because there are so few specifics about the site. No mention of who operates it, how many participants it includes, how long it’s been in operation, whether law enforcement is aware of it, etc. Although I can understand them wanting to withhold super-specific details to protect their sources, I’d be a lot more inclined to believe this story if it had a bit more meat on the bones.

So am I way off base, or is this an urban legend being passed off as a news story?

  • http://tieguy.org/ Luis Villa

    I’ve heard of such things for earlier versions of Windows before, including some reputable/documented stories of auctions of botnets. Their existence shouldn’t be too surprising- get that zero day exploit, and you can get yourself a very profitable botnet. Given the reputed cash flow for some of the spam kings, $50K doesn’t sound implausible. And of course they are already in deep legal trouble if caught, so an additional charge wouldn’t scare them very much.

    The only part of this that sounds implausible is that it is for Vista- there is no commercial value in hacking into undeployed systems. But maybe they’ll just stockpile it.

  • http://tieguy.org/ Luis Villa

    I’ve heard of such things for earlier versions of Windows before, including some reputable/documented stories of auctions of botnets. Their existence shouldn’t be too surprising- get that zero day exploit, and you can get yourself a very profitable botnet. Given the reputed cash flow for some of the spam kings, $50K doesn’t sound implausible. And of course they are already in deep legal trouble if caught, so an additional charge wouldn’t scare them very much.

    The only part of this that sounds implausible is that it is for Vista- there is no commercial value in hacking into undeployed systems. But maybe they’ll just stockpile it.

  • http://www.techliberation.com/ Tim Lee

    Right, but doesn’t putting your exploit up for auction substantially increase the chances of getting caught? I can believe that these exploits could be worth 50 grand, but I wouldn’t think an online auction would be the way you’d sell them.

  • http://www.techliberation.com/ Tim Lee

    Right, but doesn’t putting your exploit up for auction substantially increase the chances of getting caught? I can believe that these exploits could be worth 50 grand, but I wouldn’t think an online auction would be the way you’d sell them.

  • http://beyondthecode.blogspot.com David

    I have to agree with Tim. I find it hard to believe that people who have the programming knowledge to engineer exploits to operating systems would trust any type of online auction system. Seems like a nice plot for a novel though.

  • http://beyondthecode.blogspot.com David

    I have to agree with Tim. I find it hard to believe that people who have the programming knowledge to engineer exploits to operating systems would trust any type of online auction system. Seems like a nice plot for a novel though.

  • http://tieguy.org/ Luis Villa

    Who says auction system? There are ways of doing auctions without software, you know :) Anonymized chat room (which they are already very good at doing anonymously/untraceably, to control the botnets) + chatters saying ‘I’ll bid X’ ‘Do I hear X+1?’ ‘X+1!’ You know, the old fashioned way :)

  • http://tieguy.org/ Luis Villa

    Who says auction system? There are ways of doing auctions without software, you know :) Anonymized chat room (which they are already very good at doing anonymously/untraceably, to control the botnets) + chatters saying ‘I’ll bid X’ ‘Do I hear X+1?’ ‘X+1!’ You know, the old fashioned way :)

  • Roland Dobbins

    There’s a very real miscreant economy, and many things, including exploits, access to botnets for DDoS (useful for extortion, etc.), and so forth are bought and sold daily. I’ve never heard of an exploit going for $50K, but they do go for amounts into the thousands.

    I’ve never heard of anything like an ‘eBay’ for miscreants’, most of the transactions are negotiated over IRC and IM, AFAIK.

  • Roland Dobbins

    There’s a very real miscreant economy, and many things, including exploits, access to botnets for DDoS (useful for extortion, etc.), and so forth are bought and sold daily. I’ve never heard of an exploit going for $50K, but they do go for amounts into the thousands.

    I’ve never heard of anything like an ‘eBay’ for miscreants’, most of the transactions are negotiated over IRC and IM, AFAIK.

Previous post:

Next post: