Slashdot Mirror
Vista Zero-Day Exploit For Sale
Snakepit Bit writes "Underground hackers are hawking a zero-day exploit for Windows Vista at $50,000 a pop, according to computer security researchers at Trend Micro. The Windows Vista exploit, which has not been independently verified, was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the anti-virus vendor. Prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range. Bots and Trojan downloaders that typically hijack Windows machines for use in botnets were being sold for about $5,000." From the article: "According to [Trend Micro CTO Raimund] Genes, the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."
Windows XP.
'I think the malware industry is making more money than the anti-malware industry,' Genes said.
Thank you, Captain Obvious.
*salute*
Care about privacy? Read this!
Where are these online auctions for this information? Or does that information come with the same spam I get hawking "3 million email addresses for $1000!" I'd love to know what software they use to host such a site. I expect it's probably more secure than the pentagon's systems.
this seems a natural result of closed-source software companies
I think it is a good thing: it goes to show that having closed systems puts information access at a premium instead of service and real, tangible results for your customers. Open source systems don't have this problem (they have others, 'bot' not this one).
So it's getting harder? Or is that just wishful thinking?
the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."
Sounds like I need to switch jobs. Finally, a job where discovering Windows bugs will pay off instead of just generating more work for me.
Could the Slashdot editors please define the term "zero-day exploit"? I was under the---apparently mistaken---impression that it meant an exploit that was released on or before the day that a given piece of software was released.
http://outcampaign.org/
Or are they open source..? ;)
Bringing liberty to the masses. - http://freetalklive.com/
This is just another example of how M$ is good for the economy. All you anti-capitalist, libertarian nerds can sit down and shup up, now.
Kidding, of course.
What a great way to harvest additional numbers!
'I think the malware industry is making more money than the anti-malware industry,' Genes said.
/. readers been reminded that companies exist to generate profit for their owners?
Malware is a profit-making industry. Anti-malware is aimed at eliminating profits, not making them. It doesn't take an economic genius to understand the implications.
How many times have
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
If Microsoft really cared about the security of their customers systems, they'd buy those 0-day exploits and release patchs immediately. But like I said, Microsoft would have to care, and I don't see hell freezing over anytime soon.
You know the people selling this stuff arent exactly the most ethical folks in the world. Do you think that just maybe they are asking for 30k without any really good exploits to give you for that money?
It isnt smart to assume that there are zero day exploits for Vista available just because some reporter says he heard there is someone who wants to anonymously sell you an exploit he promises is really good. Even if these exploits are real (big if) noone said anything about how big of a security hole we are talking about here.
How about if I tell you that I heard someone offered to sell an Linux exploit of an unknown nature for 50 grand? Should we all run around talking about how Linux is insecure now?
This seems like a journalist trying to come up with something good to write about and slashdot forwarding it on as anti-ms fud.
The article doesn't have much detail about this "auction-style" marketplace, but I have to wonder, how are people transferring $50,000 between two parties in exchange for such goods? "Underground" would really have to be quite underground for this to be going on without much notice, no?
I also wonder if Trend Micro felt obligated to report this "discovery" to any authorities before they contacted eWeek about it...
Why do?
After a user buys a copy of Vista, Microsoft receives no more money from the user.
It would probably be economically wise to spend time in developing another product.
The more you regulate a company, the worse its products become.
After a user buys a copy of Vista, Microsoft receives no more money from the user.
... at least for a while.
It would probably be economically wise to spend time in developing another product.
Not to mention, if you never fix the bugs, the customers just might be willing to pay for your next OS.
Think again. Vista has not yet been put on the market. Right now, it is available to bulk purchases by enterprises, but there is no indication that these enterprises are engaging in massive upgrades. It is also available for download by MSDN subscribers. All in all, there are probably a million or 2 copies out there, most of which are used in secure settings.
PC will start shipping with Vista January 30, 2007. The industry ships maybe 200 millions PC per year. Assume 50% of them will shipwith Vista, that's 8 millions Vista shipment per month. These will be your classic "malware target" PC, complete with clueless users and broadband connections. So, by the end of February, the target market for the supposed "0-day exploit" will be at least 4 times larger than it is now.
So, why sell a Vista exploit now? The probable result will be to tip Microsoft, and get them to release some patch before January 30. The net result in term of infected PC would be near zero. If you are a malware peddler, why would you form $50,000 for a dud?
I think this 'exploit" smells very much of a publicity stunt.
-- Louarnkoz
Yes, but in the mean time you'll only be sucking in the first "Wave" of buyers, and a few stragglers every now and then. OEM's will stop as less people buy OEM stuff, and normal users wont buy it because everyone who uses it says its bad and they lost xxxx and xxxx happened to them after. I doubt it'd be feasable. Definately not as feasable as just fixing the bugs, or better yet, make a new windows with the old NT Kernal sandboxed so it has backwards compatibility yet more stability and less bugs. Sounds good to me.
0-day-bay, your place for new gadgetries in the world of ScRiPtKidDieS GoNE CoMmErCIal !
... backdoors ! ha ha !
Today, we have on offer a few jolly nice samples of the finest goods, what do you think of:
* Evil worm 2 - Dr.Evil himself would promote this one, if he were a real person, but alas: this Evil worm 2 does not come with frickin' lasers on its head. Made in China, this worm can eat away the fumbly firewalls of most present day Windows machines !
All that, at a price of just $30.000 !
* Glasnost x-ploit - Oh my, in the Western world we make the x-ploit, but in Russia - where this lovely piece of software was born - they x-ploit you ! Just like in the old days of Gorbatchov, this Glasnost worm certainly opens
For just the measle amount of $15.000, you could have your very own Glasnost'ed Windows botnet in no time !
Last but not least, we wouldn't want to forget our bestseller, our hitman, our top product in the fine world of Windows Redecorating Software : Yoghurt Trojan !
Not the milk-product, but you could say it's milky white cream covers most Windows PC's pretty well ! It has no aftertaste like some worms, and definitely likes to morph into different appearances ! It can definitely lighten the spirits of whoever is at the controls and includes a lovely "MAD"-button in case some law enforcement officer decides to peak into your operation : no more evidence, because no more Trojaned PC's survive the Mutually Assured Deletion of this king of kings !
All that, for just $50.000, it's a bargain !
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
LOL. I'm certainly no hack and found where they were being sold.
Its funny how companies try and make themselves more relevant than they really are....
I had only bid a deciban. You win.
I have freaks! I did something right...
Looks like someone is in need of really fast cash. If they wanted to maximize their profits they would not reveal their exploits until Vista is on a much larger amount of computers. Otherwise it will only have the chance to affect very few machines before being patched. That is unless they are selling the exploits with err... "full rights" to the highest bidder in that they would not tell anyone else, and the "winner" can sit on the exploit as long as they want before using it for nefarious purposes.
It is perfectly within the terms of the GPL to sell open source software. It is just easier to give it away for free and charge for services/work you do for paying customers.
This space is intentionally staring blankly at you
It has to do with the population of mods online right now. There is a clear pattern in the modding of the responses to this news item. Partisanship... it seems. I think Mac OsX and Linux will shine brighter over the next few years, as compared to Vista.
A publicity stunt by whom exactly? It would have to be someone who gains from FUD about Vista & Microsoft, which rather limits the field. It's hardly Apple's style, and I can't exactly imagine it's a group of philanthropic open source advocates who are trying to get everyone to switch to Linux.
What's purple and commutes? An Abelian grape.
Oh, ho ho. All the apologists are quick to argue that, "The only reason the bad guys target Windoze is because it's popular." What bullshit that is.
Vista has what market share now? Less than Mac or Linux I'm sure and everyone knows that it's going to stay that way for years. Yet there's already a market for exploits. What this should tell you is that the value of an exploit it's ability to work, regardless of market share. The bad guys know that M$ security sucks and that the holes they buy today will be good for months if not years to come. No one bothers with GNU/Linux exploits because the GNU/Linux market is fragmented and quick healing. Linux exploits don't take down every distribution but just about every distribution is quick to fix problems. GNU/Linux exploits, relative to Windoze, don't work or last long.
Friends don't help friends install M$ junk.
The answer was in the article.
According to [Trend Micro CTO Raimund] Genes
Anti-virus software makers, concerned at the visage that MS has put up of a more secure Vista, trying to ensure sales of anti-virus products on new boxes.
Simple as that.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Hypothetically, let's say you've discovered a vulnerability in a major vendor's software. You reported the vulnerability to them almost a year ago, and they assure you that they're still working on a fix. Would it be illegal in Canada or the US to sell code which shows how to exploit the vulnerability (say on eBay)? How about just going public with it (giving it away... say on Slashdot)?
The bits on the bus go on and off... on and off... on and off...
If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices.
So why is anyone buying Vista exploits? To answer that question you have to admit either that M$ does not fix problems for months and years or that the "popularity" argument is bogus. People traffic Windoze exploits because they work today and keep working tomorrow. Non free is a broken development model.
Friends don't help friends install M$ junk.
So I can safely do all my work easier in Mac OSX 10.5 ;-?
> So, why sell a Vista exploit now?
Someone else might find it. They'll presumably take the $50,000 now.
Can I buy pot from you?
I'm not sure law will look kindly at a company that fund illegal activities to improve their business. And if it comes from a security company, just having your name attached that kind of illegal activity could kill your credibility big time ( like 'they did that to fix the bug, yeah sure like petrol in irak is just a coincidence' whatever true or false that may be )
2. Buying would just drive the prices up, hence increase the prices and therefore maybe get the interest of even bigger player in the field. Logistically expensive venture such as bribes, kidnapping,
I wonder how much damage they could inflict on companies (consumers of Vista as well as MSFT) by making claims about having a zero day exploit? I bet using the right channels someone could get MSFT to spend quite a bit of resources auditing code.
Similar to how millions now have to take off our shoes in the airport b/c ONE guy tried to light his shoes on an airplane.
Is this legal? It's like someone overhearing a conversation (or perhaps intentionally overhearing it) between two plotting murderers and auctioning it to news corps/potential victims for where it's going to take place. I find it obscene: by all means get some money for your efforts, but computers control serious things - consider a case where Microsoft (or similar) buys the information before the the press, in order to cover up an embarrasing situation. Someone uses it because Systemantic or whoever didn't get to it in time (or couldn't afford to), and bam some critical computer goes down, when a patch could have been deployed first. I'm not impressed.
"You know you don't act like a scientist, you're more like a game show host." Dana Barret
Malware is a profit-making industry. Anti-malware is aimed at eliminating profits... Tell that to the twenty or so anti-virus companies that exist. There is some concern about viruses being written indirectly by the anti-virus folks to keep the money coming in. There is no proof for such a conspiracy. Everyone seems to blame the Russian Mafia or simply Organized Crime.
at the beginning there was vista (from where did they get that name?)
SCNR
Carsten
Netcraft does confirm "top servers'" back end make.
Apache wins by a long shot, but that could be served on Windows too.
I had no doubt that there would be flaws found in Vista. No non-trivial software is bug free.
But Vista has a lot of features that makes the inevitable bugs much, much harder to take advantage of.
The single most common attack vector in Windows is IE. Virtually all the malware installed on machines today was likely installed by a drive-by-download caused by one of the many, many holes in IE.
But users running Vista have Protected Mode, which effectively isolates IE and prevents it from doing damage. It's possible that protected mode has a flaw, but judging by how it works I find that unlikely.
In addition, the fact that Vista users aren't running as admin makes flaws that affect the interactive user much, much less dangerous. The ability to take over the entire machine, or even run arbitrary code effectively as the interactive user, are almost non-existent.
I suspect that this is either fraudulent, or it doesn't have the ability to root the box.
Windows XP Professional Common Criteria Configuration Guide:3 a3e-39d5-4d30-86f2-146aa2c7be45/wxp_common_criteri a_configuration_guide.zip
http://download.microsoft.com/download/5/3/b/53b5
If you have the patience to follow that guide, then your WinXP will be locked down and secure.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
In other related news. the only way to get a Nintendo Wii at this time, is to pay 70-120% more than retail on ebay.
Comment removed based on user account deletion
this $50,000 incentive will be great for improving security. (since once an exploit has been offered for sale, there are many avenues for that problem to be leaked to general awareness.)
If you need text styles to communicate then you don't have a message.
No, you're thinking of Pamela Anderson.
If this is anything like the auction markets for credit card numbers, they'll have some kind of reputation tracking.
It will be shipping on pretty much all new computers headed for clueless users over the next year - it is certain that it will rapidly overtake LINUX in both regular and (more importantly) clueless user market share. :P
microsoft always stimulates the economy!
Where are these Paypal's "donate" buttons?
echo "getuid(){return 0;}" > e.c; gcc -shared -o e.so e.c; LD_PRELOAD=./e.so sh
Liberalism in America has come to mean socially liberal and economically restrictive. It's an incorrect definition of the word liberalism, and as such you've had to invent a new word to mean liberal; libertanian.
In the US, you have the Democrats who are socially liberal and economically restrictive, or the Republicans who are socially restrictive and economically liberal. This really means that you can never have true freedom, you can never have the kind of society which created the USA in the first place. You simply switch from one type of restriction to another.
The market isn't magical, it's a many to many system which rewards those who perform a task best where many is approximately the size of the population, it essentially introduces n^2 processing to find the best solution to problems. Instead of one government legislator (or indeed a thousand) trying to think up and enforce a solution, you have n people deciding from n^2 choices what is best for them, where n might be 300 million. While no market is that large, the potential for finding the best solution is still many times that of a governmental/legislative route.
Deleted
Capitalism doesn't require a government. It may be more efficient with one, but a single overriding authority isn't required.
Deleted
Not to mention malware development time. If you're spending $50,000 for the tip off, you don't want to mess up the implementation.
As an actual example to your arguments, one may cite the discussion that was featured a few days ago about Red Hat wanting to clean and improve their RPM system.
There was quite a few users complaining about alleged dependency hell that they linked to the RPM format it self, when in fact those problems are due to the fact that several different distribution use the RPM format and one size won't fit all. A single RPM package will only work with a small subset of distribution flavors, featuring a specific version of system libraries, compiled with a specific version of GCC (ABI may change accross major versions) and maybe some specific version of toolkits and kernel.
Much of the alleged problems that newbies encounter when installing binary package, is that they download the first RPM they find, thinking "but my system does indeed support RPM package". Install it, and then encounter problems, because that RPM wasn't tailored for their specific system.
And that was for *legitimate* softwares that are supposed *just to run*. Now it's going to be even harder for trojan and viruses, which are supposed to exploit bugs to escalate privileges, which are supposed to camouflage themselves and go undetected, etc...
As others said in this thread, in fact Linux, BSD and the various such other OSS have a grater market share than Vista which still isn't released to the consumer market. But if cyber criminal are already racing to get exploits, it's because, in several months if those holes stay unpatched, their nice tool will be able to infect thousands of PCs world wide.
Targeting Linux for malware is targeting an obscure cloud of confusingly heterogenous code bases.
Targeting Windows is target maybe 3 different codebases. Currently, mostly WinXP SP2, pre-SP2 and 2k. In a few months : Vista, XP SP2, XP SP1. One ring to rule them all.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
If the same people that use Windows for Powerpoint and Word and have a gazillion worms in their system used Linux, their systems would be as infected as they are now.
They would probably using a 2.2 kernel, a very old build of KDE, and so on.
The fact is: Smart users don't get infected, naive users do. Some smart users use Linux, some smart users use Windows. Most naive users use Windows.
Target the naive users and ignore the smart. No matter what OS the smart people use.
We are Turing O-Machines. The Oracle is out there.
If the same people that use Windows for Powerpoint and Word and have a gazillion worms in their system used Linux, their systems would be as infected as they are now. They would probably using a 2.2 kernel, a very old build of KDE, and so on. The fact is: Smart users don't get infected, naive users do.
No, everyone who uses Windoze gets infected. It's not something you can do anything about because only M$ can "improve" the system. See here for well documented facts about the ongoing M$ security dissaster. A market for Vista exploits just goes to prove that nothing has changed.
Projecting Windows flaws to the free software world is not something you can do. The fact is that you can't even project those flaws to other non free OS like Mac. I dare you to tell me that all OSX users are somehow "smart" and that's why they don't get overrun with botnet malware. A user would be hard pressed to find a distro still using a 2.2 kernel and upgrading has never been hard. You have to go back four or five years for that, even in the conservative world of Debian. Sarge came with 2.4 and 2.6 kernels and Etch is about to go stable. Woody, back in 2001 or so, was the last time you could get a 2.2 kernel by default. More importantly, actual kernel problems have been patched up and never were the kind of threat found in the M$ world. KDE is as easy to upgade as your OS is. I'm using Etch with KDE 3.5 to write this, on a 266 MHz PII laptop that probably came with a Win98 OEM CD and never could have been upgraded to 2000 let alone XP. In the non free software world, people use that OEM CD until they can't stand it, then consider the computer itself dead. The free software world is much easier than that. The proof, of course, is in the data: there are no widespread security problems outside the M$ world.
Friends don't help friends install M$ junk.
...or did anyone else read the summary as "TrendMicro is selling Vista expoits for $50,000 a pop"
No, everyone who uses Windoze gets infected.
I run XP SP2, Kapersky, and run an antivirus/antispyware (Avast and Spybot) about once every month.
I've never had a virus infection on this machine or my previous machine. The only virus I've ever gotten was one back in the days of Windows 95, when my parents plugged my computer directly into a 'net connection and I didn't yet know how to protect the computer properly.
People who know what they're doing don't get infected. You are wrong.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
They allow gas-powered airsoft guns, though. Those very well could kill someone.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
I run XP SP2, Kapersky, and run an antivirus/antispyware (Avast and Spybot) about once every month. I've never had a virus infection on this machine or my previous machine.
Like 75% of Windows users, you probably rate your machine as "moderately" to "very" secure. Yet more than 80% of windows computers are part of the botnet. What do you think you know that 90% of windows users don't? It's all well laid out here in stunning and referenced detail.
Friends don't help friends install M$ junk.
I always thought Hacker meant a guy who spat a lot.
It will allow me to save the archive to disk, then extract the shell script and run it without altering permissions. What Thunderbird won't allow me to do is execute the embedded shell script directly; it will pass it off to the default archive manager but my manager will only allow me save the script or look at it in my default text editor. I could certainly configure the manager to run the script but that's not the default behavior out of the box.
This, however, is a far cry from the last few Windows malware cleanups I've had to do for clients, friends and families who insist that they did no active downloading/unzipping of anything to get hit (and most of them are smart enough not to click on attachments from unknown sources). I've seen Java "dropper"-type malware get past my AV on first install (merely surfing to a Web page), but get flagged on subsequent activity. You always wonder if there is more stuff getting by that the AV isn't noticing.
A surprising number of folks are still on Win98/Win2K and just refuse to upgrade (no matter what I tell them), so I figure I'll still be fielding requests to fix drive-by infections for a few years to come).
2006/12/15 BadVista.org: FSF launches campaign against Microsoft Vista http://badvista.fsf.org/
All of the big companies and the government talk about how much they like capitalism, but then complain about things like this. But when you think about it, it's capitalism working exactly as it's supposed to: The market is assigning a dollar value to exploits.
Microsoft has been very lax in the area of security, enabling a market to evolve around exploiting it's weaknesses. Microsoft got it's self into this position by maintaining a monopoly. Absent a monopoly, M$ would have had to compete on quality and would have been forced, by way of competing, more secure products, to secure it's own systems.
So, they may be able to cheat consumers, influence the US government's regulators, but in the long run they cannot escape market forces.
Competition Good, Monopoly Bad.
$50,000?? That's alot of money to spend in the hope that you'll be given the code promised. I think there may be another possibility. Maybe the seller of this is hoping for just one customer: Microsoft. They don't want these things to be used, and what's $50,000 them anyway?
Property is theft.