[ISN] Hackers Selling Vista Zero-Day Exploit

From: InfoSec News (alerts@private)
Date: Mon Dec 18 2006 - 02:05:14 PST


http://www.eweek.com/article2/0,1895,2073611,00.asp

By Ryan Naraine
December 15, 2006

Underground hackers are hawking zero-day exploits for Microsoft's new 
Windows Vista operating system at $50,000 a pop, according to computer 
security researchers at Trend Micro.

The Windows Vista exploitwhich has not been independently verifiedwas 
just one of many zero-days available for sale at an auction-style 
marketplace infiltrated by the Tokyo-based anti-virus vendor.

In an interview with eWEEK, Trend Micro's chief technology officer, 
Raimund Genes, said prices for exploits for unpatched code execution 
flaws are in the $20,000 to $30,000 range, depending on the popularity 
of the software and the reliability of the attack code.

Bots and Trojan downloaders that typically hijack Windows machines for 
use in spam-spewing botnets were being sold for about $5,000, Genes 
said.

The Trend Micro discovery highlights the true financial value of 
software vulnerability information and serves as further confirmation 
that a lucrative underground market exists for exploit code targeting 
unpatched flaws.

Back in December 2005, researchers at Kaspersky Lab in Moscow found 
evidence that the exploit code used in the WMF (Windows Metafile) attack 
was being peddled by Russian hacker groups for $4,000.

However, according to Genes, the typical price of a destructive exploit 
has increased dramatically, driving an underground market that could 
exceed the value of the legitimate security software business.

"I think the malware industry is making more money than the anti-malware 
industry," Genes said.

Trend Micro's researchers also found the underground marketplace 
saturated with personal data stolen in phishing attacks and virtual 
currency hijacked from online gamers.

Genes said the average prices for credit card and bank log-in data can 
vary dramatically, depending on the bank's brand and the way the data is 
mapped to names, Social Security numbers, dates of birth and physical 
addresses.

A custom Trojan capable of stealing online account information can be 
bought for between $1,000 and $5,000, while a botnet-building piece of 
malware can cost between $5,000 and $20,000, Genes said.

Credit card numbers with valid PINs are sold for $500 each, while 
billing data that includes an account number, physical address, Social 
Security number, home address and birth date can be found for between 
$80 and $300.

The auction marketplace is also selling driver's licenses for $150, 
birth certificates for $150, Social Security cards for $100, and credit 
card numbers with security code and expiration date for between $7 and 
$25.

PayPal or eBay account credentials are available for $7, Genes said.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Mon Dec 18 2006 - 02:29:12 PST