Vista Zero-Day Exploit For Sale

Snakepit Bit writes "Underground hackers are hawking a zero-day exploit for Windows Vista at $50,000 a pop, according to computer security researchers at Trend Micro. The Windows Vista exploit, which has not been independently verified, was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the anti-virus vendor. Prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range. Bots and Trojan downloaders that typically hijack Windows machines for use in botnets were being sold for about $5,000." From the article: "According to [Trend Micro CTO Raimund] Genes, the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

Re:Please define "zero-day"

[Omnifarious]

No, it's an exploit released before there's a patch that fixes the hole the exploit exploits.

zero-day warez are cracked (i.e. DRM removed) versions of programs available on the same day or before the commercial versions are released.

Re:Please define "zero-day"

[bigtomrodney]

No a Zero-Day exploit is one which is capable of exploiting on or before the vulnerability is discovered/made public. So the author was possibly the only one with knowledge of the vulnerability. Wiki Article Of course the usual amount of misunderstanding of the terminology has diluted the meaning somewhat.

Re:Auctions

search http://astalavista.box.sk/

Well, Duh!

[jc42]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.

Malware is a profit-making industry. Anti-malware is aimed at eliminating profits, not making them. It doesn't take an economic genius to understand the implications.

How many times have /. readers been reminded that companies exist to generate profit for their owners?

Re:Please define "zero-day"

The media idiots and security vendors bastardized this term. 0-day originally meant an vulnerability unknown to the vendor hence there is no patch or work-around for it.

Then security vendors tried to use it to mean any vulnerability without a patch, known or unknown because then they could rightly claim that their software mitigated a 0-day vulnerability, which really meant thier software could mitigate a known vulnerability. That's where the media idiots jumped in because 0-day sound cool and scary.

There is no point in trying to correct them. That ship has sailed. Just like "hacker" now means criminal when the original definition was a badge of honor.

Now that the vulnerability is known, it is just an unpatched vulnerability.

WinXP Security Configuration Guide

[flyingfsck]

Windows XP Professional Common Criteria Configuration Guide:
http://download.microsoft.com/download/5/3/b/53b53 a3e-39d5-4d30-86f2-146aa2c7be45/wxp_common_criteri a_configuration_guide.zip

If you have the patience to follow that guide, then your WinXP will be locked down and secure.

Re:Ah...

[budgenator]

since comcast provides McAfee free of additional charges, I decided to load it up on the Wife's WinXP SP2 machine, and I found it actually painful to run on a machine with rudimentary security measures like limited user privileges; then after I thought about it, the only malware ever found in the machine was in the step son's temp internet files. If the malware is effectively contained in an temp file area and never get a chance to get installed, then things must be locked down, so I yanked McAafee and just run clamWin,adaware and spybot every so often.

I don't think malware is a myth, but I do think that running limited privileges, a dedicated router, and Mozilla does a lot but so does not installing shareware on windows machines and staying out of porn, , gambling and other less reputable sites help a lot. Most reasonably intelligent people know when they're getting into the "bad neighborhoods" on the net, and if they don't shut-down the brain when they turn on the computer they do OK.