mailing list archives
Re: Trend Micro's Vista "0day exploit auction" claim
From: Simple Nomad <thegnome () nmrc org>
Date: Wed, 20 Dec 2006 17:11:50 -0600
Uh, re-read my post. My point was that based upon somewhat recently
prices on XP exploits, $50k for a Vista exploit did not surprise me one
bit. Maybe not exactly the confirmation you or Roger were looking for,
but I've seen high 5 figure offers for XP exploits for a while, I've
heard of low 6 figure offers from multiple people I trust, and if I were
a bad guy selling 0day I would certainly expect to get a decent price
for Vista exploits -- particularly for non-client-side remote root.
What Trend Micro is reporting on (at least I think) is that there was an
individual or group that was offering up a 0day Vista exploit with a
price tag of $50k, which is currently being "confirmed and evaluated" by
a "trusted third party" (who will probably get a cut of the sale). Odds
are it will go for less. Joke about it if you like, but it is
practically 0bay out there. Some of the Russian boards are discussing
this, like "is it really worth it" and "could they get more". Based on
previous experience and the "talk on the street" (thanks to Google, and
the Beta Google translation from Russian to English) I'd say it is real.
IMO it is an attempt to drive up the price of future exploits.
Now are Vista exploits actually going for $50k? No confirmation there,
but someone is currently offering one for that amount, and it is
possible they will get that much or even more.
On Wed, 2006-12-20 at 15:31 -0700, Drew Brown wrote:
Uh... Roger isn't talking about XP. He's talking about Vista. Re-read
I thought he was talking about XP at first too.
And I wondered if the thing was valid myself.
On 12/20/06, Simple Nomad <thegnome () nmrc org> wrote:
On Tue, 2006-12-19 at 21:55 -0500, Roger A. Grimes wrote:
> I can't verify it. But $50K for an exploit against an OS
that will not
> be widely deployed for many months seems to be excessive.
Who in their
> right mind would want to pay $50K to exploit 10 machines
> exploit is captured, sent to MS, and patched, all before the
> population really starts running it.
> It doesn't pass the commonsense test to me. A zero day on XP
> be oh, so much more valuable.
XP exploits *are* more valuable. Considering XP exploits
already go for
as much as twice that, $50k actually seems reasonable, or if
reasonable, at least what the market will bear. I haven't seen
boards recently (in fact since fed crackdowns it is getting
get on some boards) and never saw Vista on there as it was
Vista's time, but I have seen large amounts. While up to 6
figures for a
remote root XP exploit seems excessive, $50k for Vista does
me as outrageous, all things considered.
Organized cybercrime, for lack of a better word, seems to be
organized. An aggressive business person is willing to spend
make money, so having multiple 0days for future business
only make sense, particularly in an area with so much
floating around. If the ecommerce sites start moving to Vista
have remote root on Vista, burning a 0day to hit a few dozen
and grab customer lists, CC #'s, etc is totally worth $50k.
Another thing to bear in mind is that some of the value here
may lie in
something besides actual money. For example someone might be
trade a run of CC #'s for a Firefox exploit, and if each
would normally fetch $200, your exploit might be worth 50
numbers which have a street value of $10k. If you were real
carding you could easily turn this into twice or three times
Otherwise the exploit might only be worth a couple thousand in