How do black-hat hackers make money from their zero-day exploits?

One method is to come up with some sort of wrapper code that would deliver it. The Angler rootkit, for example, has a history of doing this; last year, it introduced four zero-days as a part of its offering while still constantly refreshing its list of new exploits.

But markets change, and now zero-days will be sold for a profit. Some cybercriminals covet them for their own use, and some brokers will facilitate such a trade.

The Hacking Team decided to test this process. Afterward, Vlad Tsyrklevich conducted an analysis of the emails between the parties, which indicated a high level of distrust between them. It seems that the cybercriminals fear being cheated and as a result won’t often sell their exploits on the underground.

Selling the Exploit

When Trustwave’s SpiderLabs found a zero-day exploit being offered inside a Russian cybercriminal forum, it came as a surprise. The forum in question is usually used as a collaboration platform “where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites or even rent a whole botnet for any purpose,” Trustwave SpiderLabs said.

“However, finding a zero day listed in between these fairly common offerings is definitely an anomaly.”

According to the seller, the zero-day in question is a local privilege escalation (LPE) that works on all current versions of the Windows operating system. It was put on sale at prices above $95,000 and was later reduced to $90,000.

Trustwave asserted it cannot vouch for the claims. While the offer may look real, there’s no foolproof way to guarantee it unless they purchase the exploit — or stumble across it in the wild.

Mitigating the Zero-Day Risk

SpiderLabs offered three thoughts on reducing the risk of zero-day attacks.

First, it advised organizations to keep software up to date. LPE is one component of a successful compromise. For example, your machine may not be patched against the zero-day LPE, but it could be protected against the second portion of an attack.

Second, make sure you have a comprehensive security program that eliminates gaps. Finally, use common sense. Don’t click on unknown links or attachments, and train your employees so they do the same.

The possibility of a zero-day exploit is always there. Someone will always find a way around security. It’s up to the end user to stay safe.