Note: This is the first of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.
The quintessential problem of information security is how to address the technology involved. The architectures in question each have their own potential and known vulnerabilities. These can be discovered by multiple different players, and today’s article will be about why they each look for these vulnerabilities.
Over the years, an entire market has developed around the sale of vulnerabilities. This article will talk about the players involved in discovering and selling vulnerabilities. The market feeds the entire use environment, from criminals and their support organizations (which will be part 2 of this series) to governmental actors who use it for intelligence gathering (which will be part 3 of this series).
First, lets define what a vulnerability is. A vulnerability in this case is a method by which unplanned or unauthorized behavior is induced. This can include both within the target of the vulnerability itself or in the broader system it runs within. For instance, a vulnerability in a database software may give the attacker unauthorized access to data within it, or it may be used to gain access to system resources outside of the database.
Multiple players research vulnerabilities. Until recently, academics (warning: PDF) were the most common discoverer of vulnerabilities. One of the great historical battles over vulnerabilities was over the concept of “full disclosure“. Researchers would reveal discoveries to developers, and be promptly face legal threats. They then stopped revealing them to the developers, and just announcing all the details. This pushed developers into releasing patches finally, but was ugly. The middle ground that exists now over “responsible disclosure” involves telling the developer that the details will be revealed after a certain amount of time.
When malware was first identified in 1982, initial malware was designed by those who discovered the vulnerabilities exploited. People began trading information on vulnerabilities for prestige (warning: PDF) and knowledge they desired. A divergence began, however, when the search for vulnerabilities was not longer just academic.
It was bug bounty programs that offered rewards for those who disclosed vulnerabilities. The first was in 2004 and offered by Mozilla for discovered flaws in the Firefox web browser. Vulnerability research began to be big business around 2007. One of the major drivers in bounties from companies was that they were now competing against black market trading.
This influx of cash has driven many more people into the research arena, and feeds those looking for new tools to exploit. Both organized crime and governmental agents had deep pockets, and were willing to spend hundreds of thousands of dollars for zero-day vulnerabilities. Zero-days are vulnerabilities not known to either the developer of the vulnerable software in question nor anti-malware actors.
Part two of this three part series will cover how the organized crime drivers of the vulnerability marketplace use them.