Windows Vista Zero-Day Exploit For Sale

An interview on eWeek titled Hackers Selling Vista Zero-Day Exploit talks about the dark economy that has been discussed before, where exploits, social security numbers, credit card numbers, and malware are for sale to anyone who knows how to get them and has the cash. Already, a Windows Vista zero-day exploit is for sale, although the exploit has not been verified by anyone involved.

Underground hackers are hawking zero-day exploits for Microsoft’s new Windows Vista operating system at $50,000 a pop, according to computer security researchers at Trend Micro.

The Windows Vista exploit?which has not been independently verified?was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the Tokyo-based anti-virus vendor.

In an interview with eWEEK, Trend Micro’s chief technology officer, Raimund Genes, said prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range, depending on the popularity of the software and the reliability of the attack code. Source: eWeek

First off, why would this exploit be so expensive? I haven’t seen any numbers yet, but one wouldn’t think the installed base would be very high yet, being so new, a company would have to have been part of the beta and already know the pitfalls, well, most of them anyway, or else they are crazy. Already there are issues with some of Microsoft’s software, Microsoft SQL Personal Edition will not run on Vista, they are working on a service pack, but nothing has been released yet.

The Trend Micro discovery highlights the true financial value of software vulnerability information and serves as further confirmation that a lucrative underground market exists for exploit code targeting unpatched flaws.

Back in December 2005, researchers at Kaspersky Lab in Moscow found evidence that the exploit code used in the WMF (Windows Metafile) attack was being peddled by Russian hacker groups for $4,000.

However, according to Genes, the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business.

“I think the malware industry is making more money than the anti-malware industry,” Genes said.

I’ve been saying this forever, and I will say it again, online merchants who advertise with malware and spyware are what is causing all of this, since there is so much money involved, a person could buy an exploit of this nature and make there cost and more back very quick. All they have to do is drop a bunch of spyware and adware on a user?s machine, where they are paid by install, and here’s your check. How do they afford to pay per install? Because they earn so much money once they have their “software” on users? machines and can afford to pay good money to install even more copies on even more computers.

A custom Trojan capable of stealing online account information can be bought for between $1,000 and $5,000, while a botnet-building piece of malware can cost between $5,000 and $20,000, Genes said.

Credit card numbers with valid PINs are sold for $500 each, while billing data that includes an account number, physical address, Social Security number, home address and birth date can be found for between $80 and $300.

The auction marketplace is also selling driver’s licenses for $150, birth certificates for $150, Social Security cards for $100, and credit card numbers with security code and expiration date for between $7 and $25.

Perfect example right there, they can make more money installing malware and making botnets than they can with live credit card numbers.

Merchants: know who your partners are, know where your ad is being shown; stop funding this crap and it will eventually go away.