Word is on the Russian Undergound: Windows Zero-day for Sale

Windows vulnerability being auctioned with a starting price of $95 000

Researchers have uncovered a zero-day exploit for Windows for sale on a Russian criminal forum. Although the company behind the detective work – Trustwave SpiderLabs – cannot verify that the exploit is authentic, they believe it is, and that it will be used.

Zero-day exploits are often sold on the Underground – they are either bought by gangs for attacks, or traded on by brokers. Surveillance companies also buy them to use with their existing products. It is like a Dark version of any daylight commercial market – though trust has to be paramount between the businessmen, as penalties do not stop at lawsuits and litigation in this market. Trust must be paramount when working in the circles of the Dark market, and distrust can be deadly.

For this reason, the trading of zero-day exploits rely on both parties’ credentials, and references from known operators. This is the reason that Trustwave’s SpiderLabs were so surprised to discover a ‘product’ of such scale – the offered exploit – so openly marketed. The forum is used by Russian-speaking cyber-criminals as a platform “… where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites, or even rent a whole botnet for any purpose,” wrote SpiderLabs in a blog post (31/05). “However,” it added, “finding a zero day listed in between these fairly common offerings is definitely an anomaly.”

The exploit is marketed as a local privilege escalation (LPE),working on Windows OS, XP to 10. The advert asked for offers above $95k. While the exploit cannot be authenticated, SpiderLabs added, “… the offer is likely a valid zero day, and that the asking price is likely to be met by an interested cybercriminal.” An argument for validity is the lengths that the vendor is going to (and the risks taken). This is demonstrated in the detailed marketing description that displays understanding of the (Dark) marketplace. Payment is demanded in bitcoin and the deal brokered using the forum admin.

Originally posted on 11/05, the ad was updated 23/05 with the lowered starting price of $90k, suggesting that there was less market interest than expected. Also added was the confirmation that the exploit would only be sold to one single customer (the addition of this exclusivity confirmation could suggest that there was interest and this was a response to an interested customer).

The vendor posted two video demonstrations on the channel. Trustwave observed – rather ironically, “It is interesting to note that the video was actually recorded on ‘Patch Tuesday’ and the author made sure the latest updates were installed.

The security company explained that LPE zero-days are second only to remote command execution (RCE) z-days. And, although an LPE ‘can’t provide the initial infection vector like a Remote Code Execution (RCE) would, it is still a very much needed puzzle piece in the overall infection process. An LPE exploit provides the means to persist on an infected machine, which is a crucial aspect when considering APTs (Advanced Persistent Threats).’

This exploit – if the adverts are to be believed – could go far. The vendor proclaims that it can get out of sandbox situations, install a rootkit on ring0, gain persistence through system modification and download other malware even bypassing admin install restrictions.

If the advertising blurb is to be believed, and used wisely for targeted attacks, then this could prove to be a serious new threat. Once off the forum, there will be to trace of the exploit – until it attacks. Ziv Mador, VP of Trustwave: “… in the later post the seller mentioned that the 0-day would be sold exclusively to a single buyer. Therefore, if it is removed, it may mean that it was sold.”

He was unsure if its use would even be recognized, if launched by criminals. And unsure if the exploit may not be purchased and kept in the arsenal of a state-sponsored group.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.