Hackers Selling Vista Zero-Day Exploit

Researchers at Trend Micro infiltrate an underground exploit marketplace and find a Windows Vista zero-day attack for sale for $50,000.

Underground hackers are hawking zero-day exploits for Microsofts new Windows Vista operating system at $50,000 a pop, according to computer security researchers at Trend Micro.

The Windows Vista exploit—which has not been independently verified—was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the Tokyo-based anti-virus vendor.

In an interview with eWEEK, Trend Micros chief technology officer, Raimund Genes, said prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range, depending on the popularity of the software and the reliability of the attack code.

Bots and Trojan downloaders that typically hijack Windows machines for use in spam-spewing botnets were being sold for about $5,000, Genes said.

/zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The Trend Micro discovery highlights the true financial value of software vulnerability information and serves as further confirmation that a lucrative underground market exists for exploit code targeting unpatched flaws.

Back in December 2005, researchers at Kaspersky Lab in Moscow found evidence that the exploit code used in the WMF (Windows Metafile) attack was being peddled by Russian hacker groups for $4,000.

However, according to Genes, the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business.

"I think the malware industry is making more money than the anti-malware industry," Genes said.

Trend Micros researchers also found the underground marketplace saturated with personal data stolen in phishing attacks and virtual currency hijacked from online gamers.

Genes said the average prices for credit card and bank log-in data can vary dramatically, depending on the banks brand and the way the data is mapped to names, Social Security numbers, dates of birth and physical addresses.

A custom Trojan capable of stealing online account information can be bought for between $1,000 and $5,000, while a botnet-building piece of malware can cost between $5,000 and $20,000, Genes said.

Credit card numbers with valid PINs are sold for $500 each, while billing data that includes an account number, physical address, Social Security number, home address and birth date can be found for between $80 and $300.

The auction marketplace is also selling drivers licenses for $150, birth certificates for $150, Social Security cards for $100, and credit card numbers with security code and expiration date for between $7 and $25.

PayPal or eBay account credentials are available for $7, Genes said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.