Uh, re-read my post. My point was that based upon somewhat recently
prices on XP exploits, $50k for a Vista exploit did not surprise me one
bit. Maybe not exactly the confirmation you or Roger were looking for,
but I've seen high 5 figure offers for XP exploits for a while, I've
heard of low 6 figure offers from multiple people I trust, and if I were
a bad guy selling 0day I would certainly expect to get a decent price
for Vista exploits -- particularly for non-client-side remote root.
What Trend Micro is reporting on (at least I think) is that there was an
individual or group that was offering up a 0day Vista exploit with a
price tag of $50k, which is currently being "confirmed and evaluated" by
a "trusted third party" (who will probably get a cut of the sale). Odds
are it will go for less. Joke about it if you like, but it is
practically 0bay out there. Some of the Russian boards are discussing
this, like "is it really worth it" and "could they get more". Based on
previous experience and the "talk on the street" (thanks to Google, and
the Beta Google translation from Russian to English) I'd say it is real.
IMO it is an attempt to drive up the price of future exploits.
Now are Vista exploits actually going for $50k? No confirmation there,
but someone is currently offering one for that amount, and it is
possible they will get that much or even more.
-SN
On Wed, 2006-12-20 at 15:31 -0700, Drew Brown wrote:
Uh... Roger isn't talking about XP. He's talking about Vista. Re-read
his post.
I thought he was talking about XP at first too.
And I wondered if the thing was valid myself.
Drew
On 12/20/06, Simple Nomad <thegnome@nmrc.org> wrote:
On Tue, 2006-12-19 at 21:55 -0500, Roger A. Grimes wrote:
> I can't verify it. But $50K for an exploit against an OS
that will not
> be widely deployed for many months seems to be excessive.
Who in their
> right mind would want to pay $50K to exploit 10 machines
before the
> exploit is captured, sent to MS, and patched, all before the
general
> population really starts running it.
>
> It doesn't pass the commonsense test to me. A zero day on XP
Pro would
> be oh, so much more valuable.
XP exploits *are* more valuable. Considering XP exploits
already go for
as much as twice that, $50k actually seems reasonable, or if
not
reasonable, at least what the market will bear. I haven't seen
auction
boards recently (in fact since fed crackdowns it is getting
harder to
get on some boards) and never saw Vista on there as it was
before
Vista's time, but I have seen large amounts. While up to 6
figures for a
remote root XP exploit seems excessive, $50k for Vista does
not strike
me as outrageous, all things considered.
Organized cybercrime, for lack of a better word, seems to be
fairly well
organized. An aggressive business person is willing to spend
money to
make money, so having multiple 0days for future business
expansion would
only make sense, particularly in an area with so much
unlaundered cash
floating around. If the ecommerce sites start moving to Vista
and you
have remote root on Vista, burning a 0day to hit a few dozen
major sites
and grab customer lists, CC #'s, etc is totally worth $50k.
Another thing to bear in mind is that some of the value here
may lie in
something besides actual money. For example someone might be
willing to
trade a run of CC #'s for a Firefox exploit, and if each
credit card
would normally fetch $200, your exploit might be worth 50
credit card
numbers which have a street value of $10k. If you were real
good at
carding you could easily turn this into twice or three times
that.
Otherwise the exploit might only be worth a couple thousand in
actual
cash.
-SN
