One would assume that popular sources for zero day vulnerabilities+Poc's such as Full-Disclosure, Bugtraq or Milw0rm are the primary sources for obtaining responsibly or irresponsibly released flaws. They'd be wrong. The black market for zero day vulnerabilities and the concept of over-the-counter (OTC) trade of zero day flaws, has been gradually developing itself through the last couple of years.
Let's take a brief retrospective of the black market for zero day vulnerabilities, and review a recently launched underground shop for zero day vulnerabilities, currently offering 15 zero day vulnerabilities affecting popular web applications in order to execute successful XSS or SQL injection attacks, with prices ranging from $10 to $300.
Back in 2005, a bid for a zero day vulnerability affecting Microsoft's Office Excel was posted on Ebay prompting mass media outbreak on the potential of rewarding security researchers for their research. It didn't take long before a zero day vulnerabilities cash bubble started to form, with legitimate sellers and cybercriminals over hyping the seriousness of their discoveries. Around December, 2005, the first publicly disclosed case of underground market trade of zero day vulnerabilities took place when it became evident that the the infamous Windows Metafile vulnerability (WMF vulnerability) has been sold for $4,000 :
"It seems most likely that the vulnerability was detected by an unnamed person around 1st December 2005, give or take a few days. It took a few days for the exploit enabling random code to be executed on the victim machine to be developed. Around the middle of December, this exploit could be bought from a number of specialized sites. It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000. Interestingly, the groups don't seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public."
Interestingly, the authors of the then popular WebAttacker DIY web exploitation kit started conducting basic market research on the potential of this market, by featuring a survey asking their visits how much would they be willing to pay for a zero day vulnerability. The results out of 155 votes indicated that 40% of the potential buyers were willing to pay between $100 and $300, with 14.19% answering that they code their own zero day exploits and another 17% stating that they obtain them for free.
It didn't take long before the underground market model materialized in the face of the International Exploits Shop, among the first underground offerings of a web malware exploitation kit featuring a multitude of client-side vulnerabilities, next to two zero day flaws back in 2006. And whereas the shop quickly disappeared, the concept always remained there.
In times when legitimate online auctions for zero day vulnerabilities are admitting that the market model they've introduced is far ahead of its time, their underground alternatives are thriving. Launched in early August, this web based shop is the latest attempt to utilize a black market model for zero day vulnerabilities.
Here's a translated introduction to the exploits shop :
"We present you the private exploits shop targeting PHP-applications (Content Management Systems, Guest books, forums, chat rooms, statistics and any other scripts). Our store will be constantly updated so you can expect to find the exploit you were looking for at any given time. If it doesn't you will still be able to request such a vulnerability for a web application of your choice, and our team will provide with you the necessary PoC's and tools to start using it. All exploits are written solely to our command, meaning you're not going to find them anywhere else on the Internet.
Each exploit is accompanied by information on the approximate number of sites running the vulnerable application in Google, the language the exploit is written in, and price. We also have a forum where you can place an order, discuss, complain, express an opinion or ask a question about the exploit purchased. All exploits have a user-friendly Web interface, possibly in the future we'll be releasing win32 console exploits. There are also technical support, patiently waiting for requests from users who have a problem using the exploit. We also conduct audits, security services, tests for entry (this service will be available by the end of August this year).
Watch our virtual merchandise, and if not today perhaps tomorrow you'll find what you're looking for."
What's particularly interesting about the service is the major shift towards exploitation of web applications in order to facilitate massive SQL injection attacks compared to previously known and analyzed services focusing exclusively on client-side vulnerabilities.
As always, you have a pure cybercrime market proposition pitched as a security service. The e-shop is not only offering proof of concept exploits to demonstrate the vulnerabilities, but also, easy to use web based applications for exploitation.
Moreover, this pseudo responsible positioning is flawed right from very beginning since the service administrators have done their homework and are also offering stats from basic search engines reconnaissance -- Google dorks -- so that potential buyers can easily measure the impact of the flaw that they're purchasing. These very same vulnerabilities would later on be abused for blackhat search engine optimization, and injection of malicious scripts redirecting to live exploit serving URLS. Here's their ethical pen-testing pitch :
"Our team is reviewing source code software and finding bugs in the programming, leading to critical consequences and employees of security systems. Thus, we are pleased to offer you the results of their analysis of popular (or little) systems. The results of our study are presented in the form of finished applications in languages php / perl, which aim - to demonstrate the vulnerability of the system to further assist in their neutralization. If you're going to use our software for other purposes than penetration testing, the administration does not take responsibility for your actions.
We also take orders for individual study of your source code, security auditing of servers and sites (penetration tests). Orders for such services are taken at the forum, and the price purely individual and dealt with each customer individually (mainly depends on the number and type of vulnerabilities discovered, as well as the number of code)."
Which products are they targeting? Currently offered zero days affect multiple versions of the following web applications :
- All versions of PHP Fusion - WHMCompleteSolution - PHP Nuke - PunBB - Tiki Wiki - BMForum - Invision Power Board - YaBB - PunBB - e170 Plugin Calendar - vBulletin v3.6 + ICQ Mod - vBulletin v3.6 + GVideo Mod - vBulletin v3.6 + Youtube Mod - vBulletin v3.6 + LJ Mod - Zen Cart
The most expensive is the $300 SQL injection flaw affecting all versions of PHP Fusion, which can be exploited on a large scale since there are over 2.5 million instances of it on the web, and even if the stats are conservative this hit list building approach through search engines reconnaissance has always been there, with the most recent proof of its usability were the massive SQL injections attacks.
Next to their current inventory, the service is also offering zero day vulnerabilities on demand charging the following prices :
"- Remotely upload shell - $120 - Remote file inclusion on request - $100 - Remote SQL injection - $70 - Passive and Active XSS for $10 and $40 respectively"
This overall shift from client-side vulnerabilities to web applications based ones is taking place due to the increasing demand for techniques allowing the easy hijacking of traffic from legitimate web sites, which is where these web application vulnerabilities fit in. Once they acquire the traffic by exploiting them, they would ultimately redirect it to malware and exploits serving domains taking advantage of outdated but unpatched on a large scale client-side vulnerabilities. It's all a matter of perspective, and the people behind this particular e-shop for zero days are taking the pragmatic one by offering the right product for the right moment.