Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Zero-Day Exploit For Sale

Posted by kdawson on from the crack-bazaar dept.

Snakepit Bit writes "Underground hackers are hawking a zero-day exploit for Windows Vista at $50,000 a pop, according to computer security researchers at Trend Micro. The Windows Vista exploit, which has not been independently verified, was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the anti-virus vendor. Prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range. Bots and Trojan downloaders that typically hijack Windows machines for use in botnets were being sold for about $5,000." From the article: "According to [Trend Micro CTO Raimund] Genes, the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

13 of 233 comments (clear)

  1. Ah... by JoshJ · · Score: 5, Funny

    'I think the malware industry is making more money than the anti-malware industry,' Genes said.
    Thank you, Captain Obvious.
    *salute*

    --
    Care about privacy? Read this!
    1. Re:Ah... by Swimport · · Score: 5, Insightful

      Even assuming the cost of damages from malware exceeds the money spent on anti-malware doesnt mean the damages are ending up in someones pocket. If a company is crippled for days it may cost them millions but the person responsible for the damages doesnt necessarily get anything. Just as with spam. If you send out 100 million spam emails and make $10,000 the loss in productivity likely exceeds $10,000.

  2. Auctions by bucketoftruth · · Score: 4, Interesting

    Where are these online auctions for this information? Or does that information come with the same spam I get hawking "3 million email addresses for $1000!" I'd love to know what software they use to host such a site. I expect it's probably more secure than the pentagon's systems.

    1. Re:Auctions by ZPWeeks · · Score: 5, Funny

      No, it IS the Pentagon's system!

  3. l33t hax0r by pchan- · · Score: 5, Funny

    the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

    Sounds like I need to switch jobs. Finally, a job where discovering Windows bugs will pay off instead of just generating more work for me.

    1. Re:l33t hax0r by AltGrendel · · Score: 4, Interesting

      Finding the bug is one thing. Being able to write a program that will successfully exploit it on a consistent basis is another.

      --
      The simple truth is that interstellar distances will not fit into the human imagination

      - Douglas Adams

  4. Re:closed systems by badriram · · Score: 5, Insightful

    please, this has nothing to do with closed systems and open systems. This has more to do with people wanting compromised machines to do their bidding, be it spam, ddos attacks, get personal info etc. These people obviously make a lot of money, so obviously they are willing to pony up thousands of dollars for a flaw that might give them access to hack millions of computers. If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices. (unless ofcourse it is harder to hack them, then prices would higher)

  5. Re:Economy by EnsilZah · · Score: 5, Insightful

    I was under the impression that libertarians were the embodiment of capitalism.

  6. Re:closed systems by indigoid · · Score: 4, Insightful

    No, you're wrong, actually. They are much better off pwning eleventy billion little computers, because they are way harder (or impossible?) to effectively blacklist, filter and otherwise protect from.

    A big server with lots of bandwidth will stand out like a honeymooner's dick (thanks Billy Birmingham) and be rapidly blacklisted. See: RBL, ORBS, etc

    --
    P-plate adventurer
  7. Oh come on now... by jorghis · · Score: 5, Insightful

    You know the people selling this stuff arent exactly the most ethical folks in the world. Do you think that just maybe they are asking for 30k without any really good exploits to give you for that money?

    It isnt smart to assume that there are zero day exploits for Vista available just because some reporter says he heard there is someone who wants to anonymously sell you an exploit he promises is really good. Even if these exploits are real (big if) noone said anything about how big of a security hole we are talking about here.

    How about if I tell you that I heard someone offered to sell an Linux exploit of an unknown nature for 50 grand? Should we all run around talking about how Linux is insecure now?

    This seems like a journalist trying to come up with something good to write about and slashdot forwarding it on as anti-ms fud.

    1. Re:Oh come on now... by CODiNE · · Score: 4, Insightful

      People who pay $50,000 for something aren't afraid to kill you if you lie to them. This especially makes sense if the mafia / SPAM connections are true.

      --
      Cwm, fjord-bank glyphs vext quiz
  8. Yeah, right by LaughingCoder · · Score: 5, Interesting
    ... according to computer security researchers at Trend Micro ...
    ... like Trend Micro doesn't have anything to gain by people thinking there are Vista exploits. Seriously, Norton, McAfee and Trend Micro are all worried that their golden goose may be cooked if Vista is significantly more secure than XP. And I loved the use of the cloak-and-dagger word "infiltrated" to strike further fear into people. This seems to me little more than a sad attempt to remain relevant by an anti-virus vendor.
    --
    The more you regulate a company, the worse its products become.
  9. Re:Please define "zero-day" by Anonymous Coward · · Score: 5, Informative

    The media idiots and security vendors bastardized this term. 0-day originally meant an vulnerability unknown to the vendor hence there is no patch or work-around for it.

    Then security vendors tried to use it to mean any vulnerability without a patch, known or unknown because then they could rightly claim that their software mitigated a 0-day vulnerability, which really meant thier software could mitigate a known vulnerability. That's where the media idiots jumped in because 0-day sound cool and scary.

    There is no point in trying to correct them. That ship has sailed. Just like "hacker" now means criminal when the original definition was a badge of honor.

    Now that the vulnerability is known, it is just an unpatched vulnerability.