Black market thrives on vulnerability trading

By Matt Whipp

Posted on 7 Mar 2006 at 18:09

Security giant Symantec claims that anonymous collusion between hackers and criminals is creating a thriving black market for vulnerability trading.

As criminals have woken up to the massive reach afforded to their activities thanks to the Internet, hackers too are now able to avoid risking prison sentences by simply selling on their findings.

Graeme Pinkney, a manager at Symantec for trend analysis, told us: 'People have suddenly realised that there's now a profit margin and a revenue stream in vulnerabilities... There's an element of anonymous co-operation between the hacker and criminal.'

The evidence comes from Symantec's latest biannual security report: vulnerabilities are up. Nearly 2,000 new holes were identified, the largest rise in seven years. And it's not Microsoft's fault. Two-thirds affected web applications rather than the operating system. Four in five were found to be trivial to exploit, and 97 per cent were moderately or highly severe.

Vulnerabilities are being turned up in web applications because that's where hackers are looking for them. And they're looking for them there because web applications are used by people, not machines. 'They're concentrating on the weakest link,' said Pinkney.

Pinkney said it's difficult to know quite how much money these vulnerabilities are being sold for. 'There have been figures bandied about on the Internet,' he said. 'And people have started to reference "the vulnerability mafia". There's a market for everything if you know where to go and look.'

'Script kiddies are finding these vulnerabilities and then selling them to the highest bidder - most likely a criminal. The hacker doesn't want to use exploit code.' Pinkney also said that selling vulnerabilities to a criminal 'allows the hacker to stay out of jail'. That's not surprising: hackers are being successfully arrested more and more frequently as legislation is being rolled out.

More evidence of increased criminal activity is in the report. Some 80 per cent of the top 50 exploits analysed by Symantec turned out to be 'revenue-written', according to Pinkney. Distributed denial of service attacks rose 51 per cent over the six-months prior to 1,405 a day. And the creation of networks of compromised computers continues apace, with nearly 10,000 new zombie machines added each day.

The rise in Internet connectivity in China is certain to provide even more criminal opportunity. China saw the largest increase in botnet activity with a 37 per cent growth of botnet infected systems and a 153 per cent increase in attacks originating there.

That's not to say China is full of criminals. But with a well-documented history of software pirating, it stands to reason that many systems hooking up to the Net in the People's Republic aren't patched properly and vulnerable to infection.

Furthermore, this activity resulted from a small absolute growth in online population, according to Pinkney. With a population of 1.3bn, the 94m Chinese who are online represents a point right at the bottom of the S-curve expected as the Internet revolution takes off there.

If the black market in vulnerability trading increases, as Symantec predicts, massive numbers of systems coming online in China will prove an ideal vector for attack.