For as little as $25 USD, virtually anyone with nefarious intentions can embark on a life of cybercrime. And you don’t need much technical expertise either. You can rent a botnet to send out spam, jam a website or even monitor keystrokes to detect people’s passwords. You can buy customized malware written by a third party. And, you can even buy and sell zero-day vulnerabilities.

Incredible as it may sound, a thriving underground economy has arisen that supports cybercriminals and trades in tools they need to commit their crimes. It’s so well developed and so highly competitive that it includes auction sites, marketing and advertising, and even support services.

Botnets, or networks of computers that transmit malware to other computers on the Internet, are now bought, sold, and stockpiled. They can even be traded or leased. This lowers the bar for aspiring cybercrime perpetrators, who don’t need to be technical wizards to commit crimes. Malware writers don’t even have to get their hands dirty themselves to turn a profit; they can simply sell their tools and software. Many of these “services” are touted as being for “educational purposes” or for “proof-of-concept testing,” when, in fact, they are being marketed to perpetrators.

With competition to supply botnets heating up, the cost of buying and leasing them has plummeted. Approximately five percent of all global machines are zombies. The cost of renting a platform for spamming is now around $37 USD per zombie per week (Source: UK House of Lords Report into Personal Internet Security, 2007).

Exploits for Sale
For anywhere from $25 to $1,500 USD, you can purchase a Trojan that steals credit card data and mails it to you. And for bigger budgets, there’s custom malware written to target specific companies or organizations. In January 2006, a Microsoft WMF exploit was sold in an online auction for $4,000 USD, allegedly to more than one cybercriminal. Investigations revealed that the exploit was used by at least one buyer to capture machines to spread “pump and dump” spam, email campaigns designed to inflate stock prices with bogus insider information. This is just one example of a relatively low-priced exploit. Some can fetch up to $75,000 USD.

There’s one commodity in the cybercrime black market that is stirring alarm among world governments and world capitals—zero-day exploits, which is computer code that exploits a vulnerability for which a patch is not yet available. By exploiting zero-day vulnerabilities, malicious hackers can open back doors in programs and steal personal data, such as bank account information. Worse yet, this exploit can be used to inflict significant damage on the infrastructure of a nation, or it could be used for cyber espionage. And it doesn’t stop there. These vulnerabilities are often used to blackmail the vendor of the affected software. “There is no magic involved in cyber-espionage, all anyone has to do is exploit some flaw or vulnerability,” said Shawn Carpenter, principal forensic analyst at Netwitness.

Data for Sale
personal information such as passwords, credit card numbers, email addresses, and Skype accounts are also bought and sold. Credit card information can be purchased for upwards of $5 USD per account.

Recently, a popular application on Facebook called “Compare Me” was used to gather personal data, which was promptly sold for $9 USD a pop. “Compare Me” asked users to rate their friends according to various qualities, like trustworthiness, attractiveness, sense of fun, etc. The writers of the application originally promised that only general results would be made public (for example, “X is 3rd hottest in your friends circle!”). A few weeks later, however, non-anonymous information was made available for sale.

The white market
You might be shocked to learn there is a legal “white market” for buying and selling zero-day vulnerabilities. Companies such as Tipping Point (owned by 3Com) and iDefense (owned by Verisign) are pretty open about the fact that they buy these software flaws. Governments also employ experts to hunt for these flaws.

There’s ongoing debate about whether a white market should be allowed. Some people believe that that discovering a vulnerability is hard work and that researchers should be paid for it. The rationale is that their work is for the public good. On the other hand, software developers argue that a bug in their software is not something that should be sold back to them or to someone else.

While experts agree vulnerabilities need to be discovered, many still feel uneasy about selling them for profit. After researchers disclose the vulnerability to the software vendor, the vendor makes it known to its own customers. The vulnerability is then fixed or patched. But there’s a time gap inevitably between the time a vulnerability is found and when the vendor patches it. So there’s always a danger that exploits can fall into the wrong hands. To prevent that from happening, the U.S. government is working on legislation to block the sale of 3Com, which owns Tipping Point, to a large Chinese company with government links.

Conclusion
As a member and contributor to the Organization for Internet Safety (OIS), McAfee believes that the existence of a legal white market is not in the best public interest and advocates ethical disclosure of zero-day vulnerabilities. “We believe that the only way to secure networks is to make disclosure solely about ethics rather than notoriety or financial reward,” said David Coffey, director of product security at McAfee. (Source: McAfee Virtual Criminology Report, Cybercrime: The Next Wave) The black market for exploits may continue to thrive, but if we allow a white market to flourish, we would be increasing the danger that vulnerabilities could fall into the wrong hands.

(Portions of this article were excerpted from the McAfee Virtual Criminology Report, Cybercrime: The Next Wave.)