As we noted a while back in our look at the 2011 vulnerability landscape, the number of software vulnerabilities in 2010 fell compared with the previous year though it still remained a significant threat to users.
Developers like Google and Mozilla openly pay people or organizations who find and report vulnerabilities found in their software and/or services. Some third-party groups like the Zero-Day Initiative do the same. However, despite these “whitehat” efforts, the thriving underground promises “blackhat” hackers and cybercriminals far more lucrative means to profit.
The following diagram explains how the underground market is structured. The dollar symbols indicate the steps wherein cybercriminals can profit:
Exploits can enter the underground in two ways. First, cybercriminals can monitor the efforts of legitimate whitehat hackers and other security researchers who post their discoveries in online forums and websites. While whitehat hackers and researchers may have good intentions, their work may be misused and may inadvertently help various online groups to create malware.
Far more lucrative, however, are times when blackhat hackers independently discover exploits without the knowledge of whitehat researchers and analysts. These exploits may be bought and sold—either working code or the mere “idea” may be enough—in the cybercrime underground. In some cases, cybercrime groups who want to use zero-day exploits but don’t have the technical expertise to actually discover them hire other cybercriminals to discover bugs in applications and to create exploits.
A single working zero-day exploit can cost thousands of dollars. The price can go even higher if the vulnerability found lies in frequently used applications like Internet Explorer (IE). If anything, there’s no market for vulnerabilities in rarely used applications.
However vulnerabilities and exploits become known, these invariably become part of the arsenal cybercriminals use and are bought and sold in the underground. Exploits in Web-related applications such as browsers become part of exploit kits, which are combinations of multiple exploits packaged and bundled together so that a user visiting a malicious website will be hit by multiple exploits.
One of the most famous exploit kits in the underground is the Eleonore kit. Among the applications it targets are Adobe Acrobat, Reader, and Flash Player; IE; Java; Opera; and Mozilla Firefox.
In addition to being directly bought and sold for profit, exploits are also used to improve existing botnets. These allow bot herders to earn by growing and improving their botnets. It, in turn, allows them to profit via traditional ways like pay-per-install (PPI) tactics, sending out spam, and others.
Taken together, this highlights yet another aspect of the cybercrime underground where anything is available for the right price.