The cybercrime group responsible for the popular Blackhole exploit kit recently announced that they have established a $100,000 budget for purchasing new browser and browser plug-in vulnerabilities, according to blogger Brian Krebs. The new program comes on the heels of warnings about an increasingly complex exploit market, offering a fresh challenge to white hat vulnerability purchasers.
According to Krebs, the group responsible for Blackhole has launched a more sophisticated exploit kit called Cool. Like Blackhole, Cool is rented to cybercriminals for a set period of time. While Blackhole costs $700 for three months and $1,500 for a year, a Cool license runs $10,000 a month, lead Blackhole author "Paunch" told Krebs.
There appears to be a healthy market for this more expensive kit, giving the authors a substantial budget to purchase and add new vulnerabilities. Krebs posted a translated excerpt of a semi-private forum post detailing the exploit purchase program.
"Everyone is aware of the problem which exists now on the exploit market!" the authors wrote. "To solve this problem, our team prepared the following exclusive program of purchasing new browser and browser plugin vulnerabilities. Not only do we buy exploits and vulnerabilities, but also improvements to existing public exploits, and also any good solutions for improving the rate of exploitation."
The team noted that it would not accept exploits that were already public, but that it would work with new contributors via an agreed-upon third party. In addition to weaponized exploits, the team will also purchase descriptions with proof of concept.
An evolving vulnerability market
As the black market devotes more resources toward purchasing exploits, vulnerability researchers are becoming increasingly motivated by financial rewards rather than a sense of responsibility, according to a recent Information Security report. While traditional disclosure practices usually involved researchers either turning their information into a vendor or posting it publicly, security experts today are finding that there is more value in holding onto an exploit and selling it on the gray or black markets.
Bug bounty programs have emerged to encourage researchers to share vulnerability information with vendors, but much of the motivation for doing so ultimately stems from a sense of moral duty. White market vulnerability programs at companies such as Facebook, PayPal and Mozilla typically offer anywhere from $500 to $5,000, Information Security noted. Some companies, such as Microsoft, offer no bounties of any size. In contrast, gray market vulnerability prices might run anywhere from $20,000 to $200,000 or more for an exploit, experts said. Such buyers then resell the vulnerabilities to corporations or governments interested in bolstering cybersecurity.
Given the financial draw of the open market, vendors may be at a disadvantage until they can match the rewards offered by less scrupulous exploit buyers. To truly protect themselves against vulnerabilities, software manufacturers may be best served by adopting a more secure development process that incorporates tools such as source code analysis. Placing a greater emphasis on software security may be the only way companies can truly protect themselves, according to Adriel Desautels, CEO and founder of security consultancy and vulnerability brokerage Netragard.
“If the zero-day market disappeared today, it would have no impact on the proliferation of malware among public computers,” he told Information Security. “Instead, it would be great if software vendors could be better about their development, and then there would be no zero-days left to sell.”
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.