Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Trend Micro's Vista "0day exploit auction" claim
From: Simple Nomad <thegnome () nmrc org>
Date: Wed, 20 Dec 2006 17:11:50 -0600

Uh, re-read my post. My point was that based upon somewhat recently
prices on XP exploits, $50k for a Vista exploit did not surprise me one
bit. Maybe not exactly the confirmation you or Roger were looking for,
but I've seen high 5 figure offers for XP exploits for a while, I've
heard of low 6 figure offers from multiple people I trust, and if I were
a bad guy selling 0day I would certainly expect to get a decent price
for Vista exploits -- particularly for non-client-side remote root.

What Trend Micro is reporting on (at least I think) is that there was an
individual or group that was offering up a 0day Vista exploit with a
price tag of $50k, which is currently being "confirmed and evaluated" by
a "trusted third party" (who will probably get a cut of the sale). Odds
are it will go for less. Joke about it if you like, but it is
practically 0bay out there. Some of the Russian boards are discussing
this, like "is it really worth it" and "could they get more". Based on
previous experience and the "talk on the street" (thanks to Google, and
the Beta Google translation from Russian to English) I'd say it is real.
IMO it is an attempt to drive up the price of future exploits. 

Now are Vista exploits actually going for $50k? No confirmation there,
but someone is currently offering one for that amount, and it is
possible they will get that much or even more.

-SN

On Wed, 2006-12-20 at 15:31 -0700, Drew Brown wrote:
Uh... Roger isn't talking about XP. He's talking about Vista. Re-read
his post.

I thought he was talking about XP at first too.

And I wondered if the thing was valid myself.



Drew

On 12/20/06, Simple Nomad <thegnome () nmrc org> wrote:
        On Tue, 2006-12-19 at 21:55 -0500, Roger A. Grimes wrote:
        > I can't verify it. But $50K for an exploit against an OS
        that will not
        > be widely deployed for many months seems to be excessive.
        Who in their
        > right mind would want to pay $50K to exploit 10 machines
        before the
        > exploit is captured, sent to MS, and patched, all before the
        general
        > population really starts running it.
        >
        > It doesn't pass the commonsense test to me. A zero day on XP
        Pro would 
        > be oh, so much more valuable.
        
        XP exploits *are* more valuable. Considering XP exploits
        already go for
        as much as twice that, $50k actually seems reasonable, or if
        not
        reasonable, at least what the market will bear. I haven't seen
        auction 
        boards recently (in fact since fed crackdowns it is getting
        harder to
        get on some boards) and never saw Vista on there as it was
        before
        Vista's time, but I have seen large amounts. While up to 6
        figures for a 
        remote root XP exploit seems excessive, $50k for Vista does
        not strike
        me as outrageous, all things considered.
        
        Organized cybercrime, for lack of a better word, seems to be
        fairly well
        organized. An aggressive business person is willing to spend
        money to 
        make money, so having multiple 0days for future business
        expansion would
        only make sense, particularly in an area with so much
        unlaundered cash
        floating around. If the ecommerce sites start moving to Vista
        and you 
        have remote root on Vista, burning a 0day to hit a few dozen
        major sites
        and grab customer lists, CC #'s, etc is totally worth $50k.
        
        Another thing to bear in mind is that some of the value here
        may lie in 
        something besides actual money. For example someone might be
        willing to
        trade a run of CC #'s for a Firefox exploit, and if each
        credit card
        would normally fetch $200, your exploit might be worth 50
        credit card 
        numbers which have a street value of $10k. If you were real
        good at
        carding you could easily turn this into twice or three times
        that.
        Otherwise the exploit might only be worth a couple thousand in
        actual
        cash. 
        
        -SN
        



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]