Vista Zero-Day Exploit For Sale

Snakepit Bit writes "Underground hackers are hawking a zero-day exploit for Windows Vista at $50,000 a pop, according to computer security researchers at Trend Micro. The Windows Vista exploit, which has not been independently verified, was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the anti-virus vendor. Prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range. Bots and Trojan downloaders that typically hijack Windows machines for use in botnets were being sold for about $5,000." From the article: "According to [Trend Micro CTO Raimund] Genes, the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

Ah...

[JoshJ (1009085)]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.
Thank you, Captain Obvious.
*salute*

Re:

[Swimport (1034164)]

I dont think its that obvious. There are a lot of people out there that pay for security software. Not to mention the large corporations that spend millions on it. Not even mentioning the tech support jobs created to combat spam and hackers.

Re:

[pilkul (667659)]

Indeed, I'd say the claim is obviously false.

Re:

[packeteer (566398)]

Think of this simple equation. If more was spent on anti-malware then the damage malware did, nobody woudl spend the money and they would just eat the cost. I realize thats an overly simple scenario but the idea still stands. Malware is used to rip off credit cards and checks which are VERY lucrative. The anti-malware is mostly run by corporations which have a profit margin but its not nearly the same as stealing.

Re:Ah...

[Swimport (1034164)]

Even assuming the cost of damages from malware exceeds the money spent on anti-malware doesnt mean the damages are ending up in someones pocket. If a company is crippled for days it may cost them millions but the person responsible for the damages doesnt necessarily get anything. Just as with spam. If you send out 100 million spam emails and make $10,000 the loss in productivity likely exceeds $10,000.

Re:

[by Anonymous Coward]

The malware industry doesn't exactly report their numbers,

http://www.microsoft.com/msft/earnings/ [microsoft.com]

keep offices,

Their headquarters is here [google.com]

or publish a trade rag.

http://www.microsoft.com/technet/technetmag/ [microsoft.com]

Re:

[ultranova (717540)]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.
Thank you, Captain Obvious.

What isn't quite so obvious is which side should be considered more malicious here: the malware industry, which looks for security holes to profit the Russian mafia and other zombie network controllers but may also end up compromising Vista's DRM - by, say, find an arbitrary code execution hole from Media Player - or the security industry which will inevitably end up defending the

Re:

[budgenator (254554)]

since comcast provides McAfee free of additional charges, I decided to load it up on the Wife's WinXP SP2 machine, and I found it actually painful to run on a machine with rudimentary security measures like limited user privileges; then after I thought about it, the only malware ever found in the machine was in the step son's temp internet files. If the malware is effectively contained in an temp file area and never get a chance to get installed, then things must be locked down, so I yanked McAafee and just

Auctions

[bucketoftruth (583696)]

Where are these online auctions for this information? Or does that information come with the same spam I get hawking "3 million email addresses for $1000!" I'd love to know what software they use to host such a site. I expect it's probably more secure than the pentagon's systems.

Re:Auctions

[ZPWeeks (990417)]

No, it IS the Pentagon's system!

closed systems

[drDugan (219551)]

this seems a natural result of closed-source software companies

I think it is a good thing: it goes to show that having closed systems puts information access at a premium instead of service and real, tangible results for your customers. Open source systems don't have this problem (they have others, 'bot' not this one).

Re:closed systems

[badriram (699489)]

please, this has nothing to do with closed systems and open systems. This has more to do with people wanting compromised machines to do their bidding, be it spam, ddos attacks, get personal info etc. These people obviously make a lot of money, so obviously they are willing to pony up thousands of dollars for a flaw that might give them access to hack millions of computers. If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices. (unless ofcourse it is harder to hack them, then prices would higher)

Re:

[camcorder (759720)]

Would it be better for spammer to compromise limited time open desktop computer with small bandwidth or some high-end server which is available full time w/ generous bandwidth? If latter is more feasible for spammers or ddos attacker, linux servers has more usage than windows servers. so your assumption is totally wrong.

Re:closed systems

[indigoid (3724)]

No, you're wrong, actually. They are much better off pwning eleventy billion little computers, because they are way harder (or impossible?) to effectively blacklist, filter and otherwise protect from.

A big server with lots of bandwidth will stand out like a honeymooner's dick (thanks Billy Birmingham) and be rapidly blacklisted. See: RBL, ORBS, etc

Re:closed systems

[badriram (699489)]

Ill bite.

1. Linux servers do not have a higher marketshare than windows servers, check your facts.
2. Servers be linux or windows, typically have people that are more computer literate, hence are alrady better protected, monitored, and locked away.
3. millions of unmonitored desktops, with careless users, with broadband connections will always be a better target.

Re:

[jpardey (569633)]

I highly doubt that first one. Have you seen that ad on slashdot where microsoft mentions linux explicitly? You never mention your competition unless you are losing. It might be easier to locate and clean up large servers spamming, but they could still be useful for hosting phishing sites or holding porn or distributing spyware. It's also funny that you should say that server operators are more computer literate, because I don't see many FTP home server users giving away account passwords, which was done by

Re:

[JaredOfEuropa (526365)]

You mean, with open source systems people can have the zero day exploits for free? Yay...

But jokes aside, you can bet that once housewives and average Joes start running Linux, it will be worthwhile to develop such exploits, and you will start seeing them.

l33t hax0r

[pchan- (118053)]

the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

Sounds like I need to switch jobs. Finally, a job where discovering Windows bugs will pay off instead of just generating more work for me.

Re:l33t hax0r

[AltGrendel (175092)]

Finding the bug is one thing. Being able to write a program that will successfully exploit it on a consistent basis is another.

Please define "zero-day"

[Schraegstrichpunkt (931443)]

Could the Slashdot editors please define the term "zero-day exploit"? I was under the---apparently mistaken---impression that it meant an exploit that was released on or before the day that a given piece of software was released.

Re:Please define "zero-day"

[Omnifarious (11933)]

No, it's an exploit released before there's a patch that fixes the hole the exploit exploits.

zero-day warez are cracked (i.e. DRM removed) versions of programs available on the same day or before the commercial versions are released.

Re:

[Schraegstrichpunkt (931443)]

So then how is it different from an exploit for an "unpatched" vulnerability?

Methinks it's a recently-made-up scare word.

Re:Please define "zero-day"

[by Anonymous Coward]

The media idiots and security vendors bastardized this term. 0-day originally meant an vulnerability unknown to the vendor hence there is no patch or work-around for it.

Then security vendors tried to use it to mean any vulnerability without a patch, known or unknown because then they could rightly claim that their software mitigated a 0-day vulnerability, which really meant thier software could mitigate a known vulnerability. That's where the media idiots jumped in because 0-day sound cool and scary.

There is no point in trying to correct them. That ship has sailed. Just like "hacker" now means criminal when the original definition was a badge of honor.

Now that the vulnerability is known, it is just an unpatched vulnerability.

Re:

[Vo0k (760020)]

Zero-day warez - yep, you're right.
Zero-day exploits - exploit to unpatched vulnerablity.

DDR RAM isn't a dance training device either.

What do Linux virii cost?

[k1e0x (1040314)]

Or are they open source..? ;)

Open source does not equal free beer

[nietsch (112711)]

It is perfectly within the terms of the GPL to sell open source software. It is just easier to give it away for free and charge for services/work you do for paying customers.

Economy

[rowama (907743)]

This is just another example of how M$ is good for the economy. All you anti-capitalist, libertarian nerds can sit down and shup up, now.

Kidding, of course.

Re:Economy

[EnsilZah (575600)]

I was under the impression that libertarians were the embodiment of capitalism.

Re:

[glas_gow (961896)]

I was under the impression that libertarians were the embodiment of capitalism.

That's neo-liberalism you're confusing with old fashioned liberalism. With neo-liberalism the emphasis is on freedom of the market, based on an article of faith that the market is some magical entity that'll solve all admisitrative problems. With old fashioned liberalism the freedom of one person is balanced against the freedom of another, the consequence of which is a system of legislation to protect those freedoms.

Re:

[westlake (615356)]

I was under the impression that libertarians were the embodiment of capitalism.

a capitalist system demands respect for tangible and intangible property.

almost everything is ultimately reduced to pieces of papers. mere tokens. an entry in a ledger. a bill of lading.

abstraction demands literacy. competence in math.

a capitalist system demands a mechanism for the enforcement of contracts.

a capitalist system needs reliable weights and measures.

standard time. stable currencies. defenses against highwaymen,

Well, Duh!

[jc42 (318812)]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.

Malware is a profit-making industry. Anti-malware is aimed at eliminating profits, not making them. It doesn't take an economic genius to understand the implications.

How many times have /. readers been reminded that companies exist to generate profit for their owners?

Re:

[Brandybuck (704397)]

How many times have /. readers been reminded that companies exist to generate profit for their owners?

Thank you Sherlock for telling us that companies exist to make profit. Next thing you know you'll be telling us that people work for companies to get a salary.

Here's a big cluestick to knock that tinfoil off your head: there is a world of difference between the goal of generating profit legally and ethically, and the goal of generating profit by any means whatsover.

Duh.

Oh come on now...

[jorghis (1000092)]

You know the people selling this stuff arent exactly the most ethical folks in the world. Do you think that just maybe they are asking for 30k without any really good exploits to give you for that money?

It isnt smart to assume that there are zero day exploits for Vista available just because some reporter says he heard there is someone who wants to anonymously sell you an exploit he promises is really good. Even if these exploits are real (big if) noone said anything about how big of a security hole we are talking about here.

How about if I tell you that I heard someone offered to sell an Linux exploit of an unknown nature for 50 grand? Should we all run around talking about how Linux is insecure now?

This seems like a journalist trying to come up with something good to write about and slashdot forwarding it on as anti-ms fud.

Re:Oh come on now...

[CODiNE (27417)]

People who pay $50,000 for something aren't afraid to kill you if you lie to them. This especially makes sense if the mafia / SPAM connections are true.

Yeah, right

[LaughingCoder (914424)]

... according to computer security researchers at Trend Micro ...

... like Trend Micro doesn't have anything to gain by people thinking there are Vista exploits. Seriously, Norton, McAfee and Trend Micro are all worried that their golden goose may be cooked if Vista is significantly more secure than XP. And I loved the use of the cloak-and-dagger word "infiltrated" to strike further fear into people. This seems to me little more than a sad attempt to remain relevant by an anti-virus vendor.

Re:

[bobcat7677 (561727)]

Nah, they aren't really scared of being uselss. It's just a marketing battle. Microsoft started it by creating an OS that makes the user "feel" more secure and then making all sorts of forward looking statements about how it's "the most secure OS ever". (my analysis of Vista so far has yielded little in the way of concrete security improvments, but lots of little gadget things that appear to be intended only to make the average user "feel secure".) Given the impressive bloat, mid-stream changes, and ove

Hi, welcome to...

[thrill12 (711899)]

0-day-bay, your place for new gadgetries in the world of ScRiPtKidDieS GoNE CoMmErCIal !
Today, we have on offer a few jolly nice samples of the finest goods, what do you think of:
* Evil worm 2 - Dr.Evil himself would promote this one, if he were a real person, but alas: this Evil worm 2 does not come with frickin' lasers on its head. Made in China, this worm can eat away the fumbly firewalls of most present day Windows machines !
All that, at a price of just $30.000 !

* Glasnost x-ploit - Oh my, in the Western world we make the x-ploit, but in Russia - where this lovely piece of software was born - they x-ploit you ! Just like in the old days of Gorbatchov, this Glasnost worm certainly opens ... backdoors ! ha ha !
For just the measle amount of $15.000, you could have your very own Glasnost'ed Windows botnet in no time !

Last but not least, we wouldn't want to forget our bestseller, our hitman, our top product in the fine world of Windows Redecorating Software : Yoghurt Trojan !
Not the milk-product, but you could say it's milky white cream covers most Windows PC's pretty well ! It has no aftertaste like some worms, and definitely likes to morph into different appearances ! It can definitely lighten the spirits of whoever is at the controls and includes a lovely "MAD"-button in case some law enforcement officer decides to peak into your operation : no more evidence, because no more Trojaned PC's survive the Mutually Assured Deletion of this king of kings !
All that, for just $50.000, it's a bargain !

Where's the Popularity Argument Now?

[twitter (104583)]

Oh, ho ho. All the apologists are quick to argue that, "The only reason the bad guys target Windoze is because it's popular." What bullshit that is.

Vista has what market share now? Less than Mac or Linux I'm sure and everyone knows that it's going to stay that way for years. Yet there's already a market for exploits. What this should tell you is that the value of an exploit it's ability to work, regardless of market share. The bad guys know that M$ security sucks and that the holes they buy today will be good for months if not years to come. No one bothers with GNU/Linux exploits because the GNU/Linux market is fragmented and quick healing. Linux exploits don't take down every distribution but just about every distribution is quick to fix problems. GNU/Linux exploits, relative to Windoze, don't work or last long.

Re:

[by Anonymous Coward]

So it's getting harder? Or is that just wishful thinking?

Not just harder, but longer and thicker, according to the zombie e-mail I receive.

Re:Price increasing - Publicity stunt

[louarnkoz (805588)]

This looks very much like a publicity stunt, not "sane malware economics". Suppose that you actually know of a bug in Vista and of the corresponding exploit. Do you think that "just now" is the right time to go to market?

Think again. Vista has not yet been put on the market. Right now, it is available to bulk purchases by enterprises, but there is no indication that these enterprises are engaging in massive upgrades. It is also available for download by MSDN subscribers. All in all, there are probably a m

Re:

[SEMW (967629)]

A publicity stunt by whom exactly? It would have to be someone who gains from FUD about Vista & Microsoft, which rather limits the field. It's hardly Apple's style, and I can't exactly imagine it's a group of philanthropic open source advocates who are trying to get everyone to switch to Linux.

Re:

[Macthorpe (960048)]

The answer was in the article.

According to [Trend Micro CTO Raimund] Genes

Anti-virus software makers, concerned at the visage that MS has put up of a more secure Vista, trying to ensure sales of anti-virus products on new boxes.

Simple as that.

Re:Why doesn't Microsoft buy those out?

[mochan_s (536939)]

I really don't get it. To me it seems it would be economically wise to buy these out and then fix the bugs.

Why do?

After a user buys a copy of Vista, Microsoft receives no more money from the user.

It would probably be economically wise to spend time in developing another product.

Re:

[_KiTA_ (241027)]

After a user buys a copy of Vista, Microsoft receives no more money from the user.

It would probably be economically wise to spend time in developing another product.

Not to mention, if you never fix the bugs, the customers just might be willing to pay for your next OS. ... at least for a while.

WinXP Security Configuration Guide

[flyingfsck (986395)]

Windows XP Professional Common Criteria Configuration Guide:
http://download.microsoft.com/download/5/3/b/53b53 a3e-39d5-4d30-86f2-146aa2c7be45/wxp_common_criteri a_configuration_guide.zip [microsoft.com]

If you have the patience to follow that guide, then your WinXP will be locked down and secure.

Re:

[alphax45 (675119)]

where are you going on the net with your XP machine? It should not get attacked THAT much, especially if fully patched with a good A/V. I run spybot and ad-aware once a month, they never find anything but tracking cookies. Now on my dads machine I run it when ever I am home and it will find lots more, but he just clicks yes to almost everything.

Re:

[Sj0 (472011)]

I'd go so far as to say you don't even need the cheap router, since the XP firewall seems to do a good job of closing the most dangerous ports. I've been running for quite a while without a router, and I've found that as long as you cover your ass with respect to the big things, the little things don't tend to hit.

Re:

[gordgekko (574109)]

I've never had a Win 2000 machine zombied but my XP machines are all the time.

Congratulations, you may be the most incompetent XP user ever witnessed on Slashdot.

Re:

[jpardey (569633)]

I had only bid a deciban [wikipedia.org]. You win.

Re:

[I'm Don Giovanni (598558)]

We don't know that the exploits are legit.
Microsoft buying them would be giving in to blackmail.
And, these hackers clearly have zero scruples, so what's to prevent them from selling the exploits to others after Microsoft bought them?
Get real.