On-line scammers turned entrepreneurs have found a new commodity to auction off: system and software vulnerabilities.
Here's how it works: Tech savvy cyber crooks identify bugs or vulnerabilities in software applications. Then — instead sharing these findings with the vendor so a patch can be developed — they auction it off on-line to buyers, many of whom are willing to pay top dollar for this information.
"The name of the game is money," says a study on malware distribution evolution released recently by Finjan Inc., a Web security product development firm based in San Jose, Calif. The study was conducted by a Finjan facility called the Malicious Code Research Centre (MCRC).
Below are three samples of postings lifted by Finjan from 'Full Disclosure', an un-moderated mailing list for discussions on security issues and a forum where software vulnerabilities are detailed and openly discussed:
- "I just found a second bug that allows one to remotely retrieve the contents of other tabs in IE [Internet Explorer Version] 7. Again for sale. Higgest Bidder."
- "So I just found another vulnerability. This time working on the latest patched up [Internet Explorer] version 6.0. It allows for my code to be run... Let the bidding begin."
- "Due to the success of my IE [vulnerability] sale I have decided to sell a Windows Vista exploit I discovered. This one work remote (sic) and will run code."
Cyber crooks are not hesitant to make such open declarations of illicit intent because of the anonymity offered by the Internet. Some have had the gall to try and peddle their information on popular on-line auction sites such as eBay. Last December eBay pulled an ad that was selling vulnerability information about Microsoft's spreadsheet program Excel.
"That was a bold, if foolhardy, move on the part of the seller, because eBay is hardly blackmarket at all," said Ross Armstrong, senior analyst at technology consultancy firm Info-Tech Research Ltd. in London, Ont.
But vulnerability information is also sometimes purchased by legitimate companies. For instance, TippingPoint Technologies Inc. of Houston, Texas, and iDefense Inc. of Dulles, VA. have both sometimes bought vulnerability data so as to assist other firms in deterring virus attacks.
Last year TippingPoint said it would pay as much as $2,000 (U.S.) for a verified vulnerability.
"We are for responsible disclosure of vulnerabilities," said David Endler, director of security research for TippingPoint.
The company deals with "security researchers" who contact TippingPoint with whatever vulnerability they discover. TippingPoint validates the vulnerability, tests it out and classifies it according to potential severity. It then helps its clients develop means of mitigating the vulnerability. The firm also informs the software vendor about the vulnerability in their product, but does not go public until the vendor develops a patch.
While TippingPoint waits for the vendor to come up with their patches other firms disclose to the public any vulnerability they encounter.
Open disclosure according to analysts may a double-edged sword. The disclosure could alert malicious hackers about a system's flaws, but it could be the only reliable way to ensure software makers come up with the patches.
For those who choose to auction off their findings, "vulnerability" market is also ruled by the laws of supply and demand, and indications are — right now — demand is pretty hot. "As the price tag for new vulnerabilities continues to increase, so does the temptation to sell [them] on the black-market, rather than disclose the information to responsible vendors that can develop patches," the Finjan study says.
Web security experts say information on how to break into a system can be used to launch spam and phishing attacks or create websites with malicious code that covertly take control of a person's computer.
"The market is driven by crime," according to Bruce Schneier, security technologist and founder of Counterpane Internet Security Inc. of Mountain View, Calif. He said organizations involved in identity theft "would only be [too] glad to pay upwards of US$1,000 for information that can help them single out at systems vulnerability and exploit it for financial gain."
