Vista Zero-Day Exploit For Sale

Snakepit Bit writes "Underground hackers are hawking a zero-day exploit for Windows Vista at $50,000 a pop, according to computer security researchers at Trend Micro. The Windows Vista exploit, which has not been independently verified, was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the anti-virus vendor. Prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range. Bots and Trojan downloaders that typically hijack Windows machines for use in botnets were being sold for about $5,000." From the article: "According to [Trend Micro CTO Raimund] Genes, the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

Re:Ah...

[Swimport]

I dont think its that obvious. There are a lot of people out there that pay for security software. Not to mention the large corporations that spend millions on it. Not even mentioning the tech support jobs created to combat spam and hackers.

Re:closed systems

[badriram]

please, this has nothing to do with closed systems and open systems. This has more to do with people wanting compromised machines to do their bidding, be it spam, ddos attacks, get personal info etc. These people obviously make a lot of money, so obviously they are willing to pony up thousands of dollars for a flaw that might give them access to hack millions of computers. If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices. (unless ofcourse it is harder to hack them, then prices would higher)

Re:Please define "zero-day"

[gustolove]

the day after patch-tuesday for windows

Re:Economy

[EnsilZah]

I was under the impression that libertarians were the embodiment of capitalism.

Re:closed systems

[camcorder]

Would it be better for spammer to compromise limited time open desktop computer with small bandwidth or some high-end server which is available full time w/ generous bandwidth? If latter is more feasible for spammers or ddos attacker, linux servers has more usage than windows servers. so your assumption is totally wrong.

Re:Ah...

[pilkul]

Indeed, I'd say the claim is obviously false.

Re:closed systems

[indigoid]

No, you're wrong, actually. They are much better off pwning eleventy billion little computers, because they are way harder (or impossible?) to effectively blacklist, filter and otherwise protect from.

A big server with lots of bandwidth will stand out like a honeymooner's dick (thanks Billy Birmingham) and be rapidly blacklisted. See: RBL, ORBS, etc

Re:closed systems

[badriram]

Ill bite.

1. Linux servers do not have a higher marketshare than windows servers, check your facts.
2. Servers be linux or windows, typically have people that are more computer literate, hence are alrady better protected, monitored, and locked away.
3. millions of unmonitored desktops, with careless users, with broadband connections will always be a better target.

Re:Economy

[glas_gow]

I was under the impression that libertarians were the embodiment of capitalism.

That's neo-liberalism you're confusing with old fashioned liberalism. With neo-liberalism the emphasis is on freedom of the market, based on an article of faith that the market is some magical entity that'll solve all admisitrative problems. With old fashioned liberalism the freedom of one person is balanced against the freedom of another, the consequence of which is a system of legislation to protect those freedoms.

Oh come on now...

[jorghis]

You know the people selling this stuff arent exactly the most ethical folks in the world. Do you think that just maybe they are asking for 30k without any really good exploits to give you for that money?

It isnt smart to assume that there are zero day exploits for Vista available just because some reporter says he heard there is someone who wants to anonymously sell you an exploit he promises is really good. Even if these exploits are real (big if) noone said anything about how big of a security hole we are talking about here.

How about if I tell you that I heard someone offered to sell an Linux exploit of an unknown nature for 50 grand? Should we all run around talking about how Linux is insecure now?

This seems like a journalist trying to come up with something good to write about and slashdot forwarding it on as anti-ms fud.

Re:Why doesn't Microsoft buy those out?

[mochan_s]

I really don't get it. To me it seems it would be economically wise to buy these out and then fix the bugs.

Why do?

After a user buys a copy of Vista, Microsoft receives no more money from the user.

It would probably be economically wise to spend time in developing another product.

Re:There's a patch available

[edwardpickman]

I like mine better Win 2000. I've never had a Win 2000 machine zombied but my XP machines are all the time. I finally got tired of fighting with security and just keep them off line. I log on with my win 2000 and my Mac. I have to run spyware software every time I log off on the Win 2000 machine but the Mac is always fine.

Re:There's a patch available

[alphax45]

where are you going on the net with your XP machine? It should not get attacked THAT much, especially if fully patched with a good A/V. I run spybot and ad-aware once a month, they never find anything but tracking cookies. Now on my dads machine I run it when ever I am home and it will find lots more, but he just clicks yes to almost everything.

Re:Ah...

[Anonymous Coward]

Agreed. And not only is not not obvious, I don't know how it could be. The malware industry doesn't exactly report their numbers, keep offices, or publish a trade rag.

Where's the Popularity Argument Now?

[twitter]

Oh, ho ho. All the apologists are quick to argue that, "The only reason the bad guys target Windoze is because it's popular." What bullshit that is.

Vista has what market share now? Less than Mac or Linux I'm sure and everyone knows that it's going to stay that way for years. Yet there's already a market for exploits. What this should tell you is that the value of an exploit it's ability to work, regardless of market share. The bad guys know that M$ security sucks and that the holes they buy today will be good for months if not years to come. No one bothers with GNU/Linux exploits because the GNU/Linux market is fragmented and quick healing. Linux exploits don't take down every distribution but just about every distribution is quick to fix problems. GNU/Linux exploits, relative to Windoze, don't work or last long.

Re:closed systems

[Anonymous Coward]

>
> Linux servers do not have a higher marketshare
> than windows servers, check your facts.
>

This is very uncertain.

Depending on studies, they might only count the money made on sells, the number of sells, the money made on support contracts, the number of such contracts... sometimes, they only include GNU/Linux and other UNIX-like distributions/OSes specifically oriented to servers, sometimes they only count GNU/Linux distributions (excluding other UNIX-like, notably xBSD). Sometimes, they only count sells of contracts for hardware+OS, or the amount of money made on these. Sometimes, they only use statistics, which are sometimes highly biases. Sometimes, these statistics are based only on numbers from x companies (which most often benefits to Windows, as GNU/Linux and other UNIX-like OSes installations, even for servers, are far more diversified).

In most cases, they do not try to evaluate the real number of servers. And as GNU/Linux and xBSD (notably) are far more easily distributable, being mostly free (yeah, there are versions dedicated to servers, which are not, but except support -which some companies sure are attached to-, and some customization, they do not add much...), the final number is not representative of the number of GNU/Linux and other UNIX-like servers.

If you count only the money made on sales of GNU/Linux server-oriented distributions, then, yes, Windows servers most probably have more "market share". However, you are not counting other UNIX-like distribution (though different, sometimes to a large extend, they share many similarities, and most often, numerous pieces of software), you are not counting most firewalls/routers, you are not counting most Web servers (well, those who are not known to run IIS, that is like 75% of Web servers), you are not counting most semi-amateur, geeky-amateur, and geeky-admin servers of all kind, on professionnal connections, etc., that is, your number only matters to Microsoft PR/marketing dudes.

Re:There's a patch available

[Sj0]

I'd go so far as to say you don't even need the cheap router, since the XP firewall seems to do a good job of closing the most dangerous ports. I've been running for quite a while without a router, and I've found that as long as you cover your ass with respect to the big things, the little things don't tend to hit.

Re:Ah...

[packeteer]

Think of this simple equation. If more was spent on anti-malware then the damage malware did, nobody woudl spend the money and they would just eat the cost. I realize thats an overly simple scenario but the idea still stands. Malware is used to rip off credit cards and checks which are VERY lucrative. The anti-malware is mostly run by corporations which have a profit margin but its not nearly the same as stealing.

Re:Ah...

[Swimport]

Even assuming the cost of damages from malware exceeds the money spent on anti-malware doesnt mean the damages are ending up in someones pocket. If a company is crippled for days it may cost them millions but the person responsible for the damages doesnt necessarily get anything. Just as with spam. If you send out 100 million spam emails and make $10,000 the loss in productivity likely exceeds $10,000.

Re:Oh come on now...

[CODiNE]

People who pay $50,000 for something aren't afraid to kill you if you lie to them. This especially makes sense if the mafia / SPAM connections are true.