News: How Zero-Day Exploits Are Bought & Sold

How Zero-Day Exploits Are Bought & Sold

How Zero-Day Exploits Are Bought & Sold

Most of you already know that a zero-day exploit is an exploit that has not yet been revealed to the software vendor or the public. As a result, the vulnerability that enables the exploit hasn't been patched. This means that someone with a zero-day exploit can hack into any system that has that particular configuration or software, giving them free reign to steal information, identities, credit card info, and spy on victims.

Developing a zero-day is the "Holy Grail" for elite hackers as it can bring significant notoriety, rewards, and maybe even great wealth. Those are just some of the reasons why I have begun a new series on developing your own exploits. Hopefully, at least one of my tenderfoot hackers will be able to ride what was learned here on Null Byte to riches and infamy.

Software Developers

Zero-days may be developed by security researchers and sold to the software developers. Many of these firms have programs to reward researchers for finding flaws in their products. Probably the most generous is Google, who rewarded $150,000 for a successful hack of their Chrome OS at Pwnium. Normal non-competition bounties top out at $15,000 to $20,000. You can see who has won rewards here.

Image via The Art of Tyler Jordan

For more information on zero-day bounties and their rewards, see my previous guide.

Black Markets

There are a number of black markets where you can buy or sell zero-day exploits. Some of the most active are in Russia. The selfie below is of Andrey Hodirevski, the man believed to run one of the most successful black markets in Russia for zero-days and other exploits.

Andrey Hodirevski, aka Helkern. Image via Brian Krebs

Unfortunately, unless you can speak Russian fluently, your chances of completing a transaction there is very low. In order to maintain the safety of these black markets, purveyors will not do business in English or any other language other than Russian.

Speaking and writing that language is the first hurdle you need to overcome to gain their trust. There will be more hurdles, but unless you are a native Russian speaker, you won't get very far. (Believe me, I've tried; for good reason, they are very cautious.)

If you can actually get into these markets, zero-day exploits sell for very reasonable prices. Reportedly, the exploit used against Target last year sold for just $1,200.

National Governments

For those of you with advanced skills, or aspiring to advanced skills, there is a highly developed and pricey market for selling zero-day exploits to national militaries and spy agencies. Of course, they use these for cyber warfare and espionage on each other, and sometimes even their own citizens.

One such firm, Vupen of France, develops and sells zero-day exploits for millions of dollars each. It was recently revealed that Vupen has a contract with the U.S. National Security Agency (NSA) to sell them zero-day exploits. Reportedly, you can't even see their catalog for less than an entry fee of $3M. Now that is tidy business to aspire to.

Vupen pwns Google Chrome at CanSecWest. Image by Jerome Segura/Twitter

As cyber security and cyber threats become increasingly important, hacker skills become increasingly valuable. There are now numerous marketplaces, including the software developers themselves, where you can sell your exploits.

When you have developed your skills to the professional level, the potential to sell your exploits for literally millions of dollars is there. So, keep coming back, my tenderfoot hackers, and follow my new series on exploit development!

Cover image via Shutterstock

5 Comments

I quoted Vupen before in one of my articles and If I'm correct, they also relase pretty interesting public exploits once the vulnerability is patched.

Zero-days bring everything to a higher level, and that's fascinating.
Also, having a creator who can bring us practical experiences is awesome.

It seems as if it was divided in factions, and this invicta war to the latest exploit is fascinating. I would really like this to be a topic which I'll have to deal with every day.

Back to Null Byte, I have a question for the community:

How useful fuzzers are in the research of zero-days? Are there (obvious question) other common ways to find them? Is this focused more on the "analyzing code" or "writing exploit finders"? Why are there always new zero-days if I understand that exploits are, after all, programming negligence? Do they exist for reasons that go even beyond programming languages, all the way to hardware and memory allocation?

Thank you in advance to whoever will answer.

I guess most of the time you won't be able to get your hands on the source code of a program, unless of course it is open source.

That's why I believe that fuzzers are a quite vital part of developing exploits.

However there are also methods, referred to as "static code analysis", which given the source code of a program, check for critical function calls (e.g. memcpy(x,y) without a suitable length check), that could lead to potential vulnerabilities and give out warnings.

The question, why there are and will always be new zero day exploits, is best answered with "to err is human".

Since programs are designed by humans they most probably will never be flawless. And still, if your very own program has now flaws by design, it may rely on other services that are vulnerable.

Besides, in the past developers didn't focus as much on security as they do today. Therefore there are a lot of programs in use with countless (still undetected) vulnerabilities.

Just take a look, at all the critical fixes for Flash or Java published each year and you can easily imagine why we won't run out of vulnerabilities to exploit.

Thank you for the use of specific terms, I'll study them.

So, reverse engineering is not always very useful and sometimes even impossible (I guess, as far as I can see from my studies).

The concept about exploits of applications that are built on third servicies which still contain vulnerabilities is pretty clear, and "errare humanum est" is why new vulnerable servicies are built.

Also, I recently joint the programming field so I lack of backstory. To know that developers didn't use to always focus on security makes everything clearer. The Java and Flash examples are very clear, and easily explain how is it possible to always find vulnerabilities.

Sorry if I didn't use a perfect english, and again, thank you for answering!

Video about Zero-days introduce:

----------------------DAGONCHU

inspiring , and breath taking, i mean 3 MILLIONS as an Entry FOR ONLY READING the catalog ?! , thank you for your hard work its really amazing , but i searched all the web for

"EC-Council Certified Secure Programmer" slides or e-book
or
"Offensive Security Exploitation Expert (OSEE) Certification"
and
"Offensive Security Web Expert"
or any other resources but i couldn't find any ...

Share Your Thoughts

  • Hot
  • Latest