By NESTOR E. ARELLANO
On-line scammers turned entrepreneurs have found a new commodity to
auction off: system and software vulnerabilities.
Here's how it works: Tech savvy cyber crooks identify bugs or
vulnerabilities in software applications. Then instead sharing these
findings with the vendor so a patch can be developed they auction it off
on-line to buyers, many of whom are willing to pay top dollar for this
"The name of the game is money," says a study on malware distribution
evolution released recently by Finjan Inc., a Web security product
development firm based in San Jose, Calif. The study was conducted by a
Finjan facility called the Malicious Code Research Centre (MCRC).
Below are three samples of postings lifted by Finjan from 'Full
Disclosure', an un-moderated mailing list for discussions on security
issues and a forum where software vulnerabilities are detailed and openly
* "I just found a second bug that allows one to remotely retrieve the
contents of other tabs in IE [Internet Explorer Version] 7. Again for
sale. Higgest Bidder."
* "So I just found another vulnerability. This time working on the latest
patched up [Internet Explorer] version 6.0. It allows for my code to be
run... Let the bidding begin."
* "Due to the success of my IE [vulnerability] sale I have decided to sell
a Windows Vista exploit I discovered. This one work remote (sic) and
will run code."
Cyber crooks are not hesitant to make such open declarations of illicit
intent because of the anonymity offered by the Internet. Some have had the
gall to try and peddle their information on popular on-line auction sites
such as eBay. Last December eBay pulled an ad that was selling
vulnerability information about Microsoft's spreadsheet program Excel.
"That was a bold, if foolhardy, move on the part of the seller, because
eBay is hardly blackmarket at all," said Ross Armstrong, senior analyst at
technology consultancy firm Info-Tech Research Ltd. in London, Ont.
But vulnerability information is also sometimes purchased by legitimate
companies. For instance, TippingPoint Technologies Inc. of Houston, Texas,
and iDefense Inc. of Dulles, VA. have both sometimes bought vulnerability
data so as to assist other firms in deterring virus attacks.
Last year TippingPoint said it would pay as much as $2,000 (U.S.) for a
"We are for responsible disclosure of vulnerabilities," said David Endler,
director of security research for TippingPoint.
The company deals with "security researchers" who contact TippingPoint
with whatever vulnerability they discover. TippingPoint validates the
vulnerability, tests it out and classifies it according to potential
severity. It then helps its clients develop means of mitigating the
vulnerability. The firm also informs the software vendor about the
vulnerability in their product, but does not go public until the vendor
develops a patch.
While TippingPoint waits for the vendor to come up with their patches
other firms disclose to the public any vulnerability they encounter.
Open disclosure according to analysts may a double-edged sword. The
disclosure could alert malicious hackers about a system's flaws, but it
could be the only reliable way to ensure software makers come up with the
For those who choose to auction off their findings, "vulnerability" market
is also ruled by the laws of supply and demand, and indications are right
now demand is pretty hot. "As the price tag for new vulnerabilities
continues to increase, so does the temptation to sell [them] on the
black-market, rather than disclose the information to responsible vendors
that can develop patches," the Finjan study says.
Web security experts say information on how to break into a system can be
used to launch spam and phishing attacks or create websites with malicious
code that covertly take control of a person's computer.
"The market is driven by crime," according to Bruce Schneier, security
technologist and founder of Counterpane Internet Security Inc. of Mountain
View, Calif. He said organizations involved in identity theft "would only
be [too] glad to pay upwards of US$1,000 for information that can help
them single out at systems vulnerability and exploit it for financial
The information can also be used to create so called "bot-nets" or
networks of personal computers controlled remotely by a malicious hacker,
according to Info-Tech's Armstrong,
"When you have a bot-net of 10,000 to 20,000 hijacked computers, that's a
lot of computing power to use for denial of service attacks, to launch
spam, or host websites that steal visitors' confidential information,"
The Finjan study said back in the 1990s, distribution of viruses was
carried out by "script kiddies" in search of fame and recognition among
their peers. Later phishing scammers used spoofed e-mail messages to fool
people into revealing credit card numbers, passwords and other personal
Today spam has evolved from a mere annoyance to a channel for propagating
Late this June customers of the National Australian Bank (NAB) were
targeted by a spam message claiming the bank had gone bankrupt, and
directing readers to another website to read the full story.
The second website actually installed a Trojan virus on the machine of
people who visited the site. The code immediately searched for unpatched
vulnerabilities on user machines and exploited them to gain control of the
There is the odd time when vulnerabilities are created perhaps
inadvertently by a legit company.
For instance, late last year SonyBMG placed copy protection software on
one of its CDs that used a sophisticated cloaking technique involving use
of a rootkit. A rootkit is often used by virus writers to hide traces of
their work on a computer, and can be used by a malicious hacker to gain
control over a computer.
As part of a court-ordered settlement, SonyBMG was recently directed to
compensate consumers who purchased Sony audio CDs that installed a rootkit
when they were played on a PC. The compensation amounts to US$7.50 and a
free album download from Sony's catalogue for each CD purchased.
"What is common to all these threats is that they are driven by active
content (such as Java Script, VB Script, ActiveX, or Java Applets) those
same technologies that enable users to browse websites and run common
business applications," the study said.
Yuval Ben-Itzhak, chief technology officer of Finjan said a great deal of
malicious code is able to bypass traditional anti-virus and anti-spam
software in the market today because these products are signature-based.
"These software products search for virus signatures. But if a virus is
new or unknown, the software will not be able to recognize it."
Ben-Itzhak said Finjan software blocks malicious code based on its
behaviour. The moment the NG 51000 detects questionable behaviour on the
part of a visited site it blocks that site.
"If a site begins installing executable codes on a computer, tries to
access disks or read files, monitor keystrokes, access and modify registry
or try to control the computer, it's out," Ben-Itzhak said.
"Open disclosure may be imperfect, but it's the only way to guarantee that
things will get fixed," said Schneier. "Unless vulnerability is made
public, some software makers won't work on the patches."
Armstrong said legitimate firms who buy vulnerability information to
develop filters or alert its clients are beneficial.
"It is a good, pro-active approach and it helps vendors save on research
dollars," he said.
Aside from the anonymity provided by the Internet, the lack of a coherent
and legislation covering the matter prevents authorities from keeping the
lid on vulnerability auctions. "This is one giant grey zone," according to
"While it may be against the law to propagate viruses, or steal private
information, it is not illegal to publish or sell vulnerability
information," he said.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.