Exploit Sweatshop

Thu, 30 Apr 2009 12:04:47 GMT

When I was playing/introducing the partial disclosure practice an year and something ago, I did get contacted by numerous dodgy characters willing to buy yet undisclosed vulnerabilities for substantial amount of money. Of course, requests of that nature were kindly ignored. I couldn't believe that someone was willing to give me so much money for something I virtually spent 2-3 hours maximum to produce.

Later on, during the CONFidence 2008 event in Krakow I met a bunch of people who claimed that they already sell exploits to various UK companies and the figures that they were making were outstanding. To give you a clue, given the pound dollar difference at that time, you could have made 6 times more than what ZDI and other similar programs can offer you for a top range exploit. This is already better than a top salary in UK.

Same year, different event... I saw an interesting presentation by Robert McArdle from Trend Micro. The presentation was titled "Fighting web Based, Profit-Driven Threats". On one of his slides, Robert commented that "cybercrime is becoming more profitable than the drug cartels"". Perhaps you wont be able to make as much money from carding as you might expect but you can do quite well selling visualized stuff, such as exploits and exploit toolkits.

Present times, DojoSec Monthly Briefings... Matthew Watchinski from Sourcefire VRT talked about a PDF 0day spreading around Xmas time. The exploit took a couple of good months for Adobe to fix it. The author sold it for 75K to a unknown 3rd-party in China according to Matthew. The vulnerability was also relatively easy to find and required very little experience to exploit.

All of this leads to the very obvious conclusion which is that at present times cybercrime is a flourishing industry. Soon, there will be even more recruits coming to join the dark-side forces of the cybercrime cartels. They will do it for the money!

No more free bugs you say? I say that you are leading people to become the next generation of cyber menace. Perhaps you forgot that the information security community was built on and thrived because of a simple but fundamental principle: knowledge must be free.

Sell The Bugs

Regardless how good these figures may sound to you, you need to take a step back and think really well what you are getting into. Here are a few points that you need to consider before selling exploits:

  • Cybercrime is not a joke - If you get caught selling exploits to a dodgy 3rd-party you may end up with a prison sentence longer than the sentence of a child molester. If you live in US or UK you could be charged and treated as a terrorist which will completely destroy not only your life but the life of your closes people.
  • TAX man problems - Oh Yes! Unjustifiable incomes could get you in trouble with the TAX man. The TAX man will hunt you and hurt you.
  • Broken legs and other broken parts of the body - You have no idea to whom you are selling to. Tomorrow you may wake up with broken legs and twice as poorer as the day before.
  • Even worse - People will kill for a lot less than 75K. Keep that in mind.

In my humble opinion, exploit brokerage is a risky business. There is an unquantifiable risk associated with this practice and that is only due to the high price of exploits which are sold today.

Exploit Sweatshop

Nevertheless, it is just silly to believe that no one is producing and selling exploits in a large scale. Do you remember the numerous gaming sweatshops which sprung up like wild mushrooms after the recent heavy rains in 3rd-world countries? I recall seeing a documentary on a typical day in a Chinese WoW sweatshop. I remember I saw a room full of almost naked people, numerous PCs hooked up into a gigantic DIY network spreading across the entire floor. Most of the WoW accounts were fully automated, running from virtualized platforms.

The aim was simple: a) develop many characters in a semi-automated fashion by killing small animals and other things around the WoW world and b) sell the characters plus other artifacts to western buyers for a substantial amount of money. All of this can be achieved for as little as $70 a month per person. This is a remarkable business model which works extremely well.

Similarly, all you need is a bunch of programmers from India, China, or Eastern Europe to code up fuzzers and run them against as many software products as possible. At the end of the day memory corruption exploits a relative easy to detect. All you need is a crash caused by putting far too many 0x41 in a buffer. The crash is already an indication that something is wrong. It requires a bit of manual work to figure out whether the crash is exploitable. From personal experience, and by looking into the work of my peers, it takes approximately 10 days to develop a crash into an exploit. Most of the times, the exploitability factor of a crash is apparent and therefore no time needs to be wasted. Other times, a crash can be archived for future investigation when it could become exploitable given it meets the necessary conditions.

Perhaps you can do all that by paying someone as little as $70 a month as it is the case with WoW sweatshops. That is 3 times less than what I am paying for just hosting. Therefore, I most certainly can afford to hire 3-4 people right now and even double their salaries, but let's do the maths:

# average exploit price: **$5000**
# number of people to hire: **5**
# average monthly salary: **$100**
# job specs: **write fuzzers**
5 * 100 = $500 # a month expenses
5000 / 500 = 10 # months worth of work

Heck, I can even put this bill on my credit card and pay as little as $50 a month. The chances that I will sell an exploit for $5K in the next 10 months are pretty high. $5K is only if I go with a legitimate company. I can probably make 6 times more by selling it to a dodgy 3rd-party. The only thing I need to worry about is the risk.

Some Final Words

Finally, I know that a lot of people are into the security business because of all the romanticism and the myths surrounding the "hacker" figure. Things look different once you become the hacker and your day job and lifestyle are surrounded by hacking and breaking into systems of any sort. There is nothing romantic about it.

So, don't get into trouble for the wrong reasons. If you are young and you need advice what to do with your career, contact us or contact any one who has been into this industry long enough to give you a good and sensible advice. Just don't jump onto the "No free bugs!" bandwagon.

I have been following you on twitter for a long time now and I just have to say I really enjoy reading your work! Especially THANK YOU for brining up the not-so-romantic aspect of being a hacker! It really needed to be said again! As you very well know the "young chihuahua" syndrome that young people get when they decide they wanna head down that path can be tiring not to mention frustrating and annoying lol. Like always we sinch up our big-boy pants, calm down and try to help them every step of the way. Thanks again for a great article!! Fantastic work!
Alexander SverdlovAlexander Sverdlov
Totally agree with you, PDP. However: We MUST fight to get the price of exploits sold leglly higher. Yes, that way the company that is legally buying them, will make less money.... but this is the only way to fish out the "blackhats" and get them to work on the white market - give them more money for doing it legally (not more than they would do with a crime, but good enough to consider the lack of risk). Yet... how could we accomplish this? Me thinks.. only by refusing to sell 0days for less than 5000K a piece.
Alexander, first of all we need to established that companies such as ZDI are buying bugs not exploits. If you provide an exploit though, their work will be easier and therefore you will get paid more. Writing an exploit is the process of weaponizing a bug. No company, in their clear mind and without breaking the law and rising too much suspicion, will buy exploits. This is the fundamental difference which I think we all should agree on.
Dino Dai ZoviDino Dai Zovi
There can be a big difference between a PoC exploit and a "weaponized" exploit. Some level of exploitability research is necessary to properly gauge the risk of the vulnerability. There is a big difference in the amount of danger presented by a bug with a MSRC Exploitability Index of 1 (consistent exploit code likely) versus 3 (functioning exploit code unlikely). 1's are the types of bugs that turn into malware attacks. If you are trying to prevent actual attacks (not just trump up vulnerability counts), you want to address the 1's first and de-prioritize the 3's. Having someone perform the exploitability research is the best way to separate the wheat from the chaff. I agree with Alexander, that the best way to make less vulnerabilities end up in the hands of malware groups is to give researchers enough of an incentive to "do the right thing". $75K versus $0 (vendor) or $5k (ZDI) is a simple decision. Look at the success of the iTunes Store (now the #1 music seller in the USA). Give people a convenient and properly priced avenue and most will do the right thing. -Dino
First of all the analogy with Apple Music store is flawed. The entire music industry is in decline. Perhaps Apple are the biggest music seller in the USA but what size of a market we are talking about? The music industry measures not only by number of song they sell but also other things such as video, music channels, concerts, merchandise, etc. Dino, from purely business perspective, $75K is an impossible sum to get out of a vendor or a vulnerability disclosure program. For that amount of money any company can outsource a whole team of researchers specializing finding vulnerabilities in a single product. Also keep in mind that there are many hungry but extremely gifted people out there. If someone is willing to put $75K for a vulnerability, there will be many people outbidding each other. The only people who will pay $75K are those who are interested in a fully functional exploit for whatever reasons they may need it. Just keep in mind criminal organizations always have more money to offer regardless how much you price legitimately disclosed vulnerabilities. If a company offers a bounty of 75K per exploit, a criminal organization will out bid by 3-4 times that figure. How much a vulnerability is worth to the vendor? Not as much as they would like to admit!
Your reasons for why NOT to sell bugs are just FUD. Many people successfully sell vulnerabilities without any of the problems you describe. Tax accounting isn't that hard either.
It is naive to expect that security companies can pay more for gaining information about a vulnerability than an interested malicious third party -- simply because the third party expects to recoup the spending with sufficient profit margin (or anything of greater value) exploiting the vulnerability. Security companies can't do that -- this money is basically thrown down the sink, as they cannot recover those expenses. It simply doesn't make at least economical sense to do just that, let alone solving the actual problem. If there's no demand for paying for vulnerability information, nobody would be selling. Of course, that still does not eliminate the illegal market, but paying for bugs will not remove it as well, but will instead legalize it. After all, if "legal" companies can buy vulnerabilities, why others should not as well? A very good article, pdp.
come on hd, I doubt that you've read the entire article. selling bugs to whom?
mindcorrosive, indeed.
Dino Dai ZoviDino Dai Zovi
Obviously parties with a profit motive for the vulnerability are going to pay more for them and they do. This implies, however, that large software vendors derive no profit or utility from reported vulnerabilities since they don't pay for them at all. They have the same response whether you post it directly to FD or submit it responsibly to them, except they just take longer in the latter scenario. Mozilla has a security bug bounty ($500), as does djb ($1000). These large commercial vendors can't take more responsibility for their shipped products than a non-profit foundation or a private individual? It's great that in the last 10 years of vulnerability research and disclosure, that the companies that "have a clue" will actually fix reported security issues in a number of months rather than years. Is that the best that we can hope for? -Dino
If you ask me, this all boils down to how valuable security is to business in general. If Adobe doesn't value it high enough, this provides openings for exploits to be found by others and fuels their trading. It also means they're worth less on the legitimate market, and worth more on the dark market. None of this ever really changes until organizations value security both in their products and in their environments.
dino, one thing that we've learned during the last 60 years of computing is that software bugs a side-effects of complexity, i.e. manifestations of human and design imperfections. bugs are common like it or not and that property makes them of a less value. how much more do you expect vendors to pay for a bug? asking for more money will not make problems disappear. in fact, it will make the situation even worse. if a vendor gives you $75K for a bug then they will most certainly put you through an NDA. now the bug may not get fixed in the next 3 years. imho, the no more free bugs campaign is nothing more but an opportunity for the black market to tamper into even more talent.
"imho, the "no more free bugs" campaign is nothing more but an opportunity for the black market to tamper into even more talent." pdp, you nailed it on the head there. The moment you put a tangible market price for this, the whole game changes. Nobody's going to report vulnerabilities that they discover, in the hope that they will get paid for their effort. It will have the effect of both increasing the number of exploited vulnerabilities AND the number of responsbibly disclosed ones. I can't see how that is a good thing.
PDP, do you have any personal experience selling bugs? Did you get physically threatened? Did you find it hard to locate a legitimate buyer that would keep within your ethical boundaries? The premise for this article contradicts my own experience ( a few years ago, but still relevant ). As for the sweatshop angle, that only works until the people finding the bugs figure out your margins and go into business for themselves. One thing proven by the commercial vuln buying organizations is that they will buy bugs from nearly anywhere (the only problem is payment in some cases). You are assuming that the people with the skills to actually do the work are willing to get paid sweatshop wages. We (metasploit) actually looked into sponsoring a filipino research team at a similar rate, but the folks we would sponsor would have very little computing or security experience at first. In the end, the time expense for rampup/training was more costly than the amount of money we would need to raise each month for salaries.
Is it bad that companies will pay for bugs, or that *researchers* try to drive the market by asking to be paid? I feel that a part of the desire to sell bugs comes from the simple growing up of many hackers who played around with and gained skills as a kid. When you're 16 and finding bugs, you may not give a rip. If you're 24 and have bills and maybe even got your girlfriend pregnant, you'll have a new perspective and a new valuing to your time. Obviously that is not the whole issue, but I think that may, in part, describe some people who desire to sell bugs. Ultimately, pdp, you have a huge point that I can't agree with more: knowledge should be free. It truly *has* to continue to be a fundamental principle to our culture, not something that hackers today have left behind.
HD, most of my our (GNUCITIZEN) discoveries are online and a few were sold privately to companies such as ZDI not to random strangers from the friendly Web. As for your sweatshop comment, I don't think that witting fuzzers needs any specialized skill apart from knowing how to write basic programs. It is all mentioned and explained in the article.
pdp, a lot of interesting comments and feedback. Thought provoking.
I agree with HD, i am from India people are good with computers but not with security here. I can guarantee people with this idea cant survive here. also math is different if you are Security guy& you could code exploits you charge minimum of 500 to 1000$ per month:)
Raaka, thanks for the comment. Which aspect of HD comments you are agreeing with? Also, I apologize giving India as an example. I know many gifted security guys from there and I have a high respect for your education system. I also referred to people from eastern Europe, where I am from, to be fair. :) the fact though, is that India is a one of the perfect places for outsourcing things at a cheaper rate... Now, coding exploits has nothing to do with finding bugs... seriously... especially when all you want to achieve is a crash which can be replicated. It doesn't require any special knowledge to write fuzzers or fuzz test software. at least, this is my humble opinion. My example was vague but based on other similar types of business models, i.e. WoW sweatshops, as I mentioned. There are many other points in the article. Let's not ignore them.
[HD filipino research team] i belive finding bugs is art :) i personally believe China is better in this part. [Fuzzer's] yes but India is complete different jungle, You can hire bunch of engineering guys but minimum wage will be like 250 to 300$ per month those kind of profit making market you mentioned is long gone. but to my knowledge army is hiring hackers to develop exploits ;)
In my humble opinion this is unlikely scenario. Writing a successful BOF exploit nowadays is much tougher than years ago. Now you've got things like ASLR, NX pages, canary values on the stack, SELinux and stuff. Provided that you are not likely to find memory pages that are executable and writable, you don't know the exact address of your shellcode (because memory layout is randomized) and you just can't overrun the return address on the stack cause you don't know the canary value, today writing BOF exploits (at least on linux) is a kind of art. Still possible, but much harder and sometimes not reliable. Come on, it's 2009 now. Aleph1's times are long gone (and for good IMO). Don't know about the Microsoft world though, probably it's easier there. Thus, I don't think a couple of underpaid Chinese 'hackers' will be so much productive in that aspect. Although, as far as web vulnerabilities are concerned, I totally agree with you that's a very possible scenario. Web application vulnerabilities are generally much more easier to exploit.
I also believe that Web Application Security is the way forward. Everything turns into a webapp nowadays and there are so many gray areas that can and need to be explored.
first of all, very interesting post. lots of ideas flowing in all directions which is definitely a positive thing. personally, regarding selling vulns, i rather avoid unknown buyers, and stick to programs like ZDI. yes, ZDI will pay you MUCH less than a company which will force you to sign an NDA, but i think it's worth it, considering that you know who you're dealing with. prob. the only other type of entity i would sell vulns to, besides programs like ZDI, is the government. And even then you gotta really think about what government you're selling it too as it can actually screw up your career due to international politics. ie: .uk researcher selling vulns + working exploits to the .cn government. Regarding 'hacker' romanticism, pentesting, exploit writing and vuln research in general are nothing other than 1) spotting the crap that other people forgot to clean, and 2) proving that not cleaning your crap can lead to a problem. Although i love offensive security in general, i must say that sometimes i feel like changing careers and becoming a hotel manager in sunny southern spain :) Security research is very interesting, but no one gives a darn ultimately.
I cannot agree more. :) let's open a GNUCITIZEN Coffee Shop.
"Do you remember the numerous gaming sweatshops which sprung up like wild mushrooms after the recent heavy rains in 3rd-world countries? I recall seeing a documentary on a typical day in a Chinese WoW sweatshop. I remember I saw a room full of almost naked people..." "Finally, I know that a lot of people are into the security business because of all the romanticism and the myths surrounding the hacker figure" Which is it then? People also makes shoes and clothes by hand in sweatshops, that doesn't take much intelligence either. If the same people who get paid 70$ a month to put strings in shoes are also writing expoits, doesn't that kind of take the whole "romanticism" and "elitism" of being a "hacker" and throw it out the window?
* Thinking that some corporations buying "0days" are better or have better ethics soil than others could kill you from naiveness. * Also, that idea, gives the 'prefered' corp the right to put whatever price they want to your research. * The authors r not all the time being the ones selling the shit to 'fill-with-gov-you-hate'. Authors sell IP rights.
the black vs white markets for 0day... the gap is enormous... pwn2own isn't about winning an ipod... it's about advertising that you're a player.
@fd.throwaway you are missing the point. I've already commented on this!
g/, the whole no more free bugs thing sounds like an extortion to me. nobody asks researchers to find bugs as well no one asks anybody to try the security of your front door. don't get me wrong. do I want to get paid more? hell yeh! the thing is that it is up to you if you want to sell it or not for the price that is offered. in other words, if I offer you $5 for an exploit it is up to you to decide if you want to have a deal or not. some people think that my argument is that security researcher are already paid enough and they don't deserve to be paid more for their exceptional work. this is incorrect. my opinion is that although you, as a security researcher, dictate the price of your work, at the end of the day it is all business. you can ask for any sum you can imagine but if no one is willing to buy it at that price you will loose. and asking 75K from a legit company for a vulnerability which could be leaked tomorrow is not the way to go. it is a high risk investment no one will bother to get into. as a businessman, if I give you 75K for a vulnerability I would like to see first of all return of that investment and perhaps even a bit of profit. the only people that will buy at that price are either military institutions (only if inline with the current budget and objectives) or shady figures from around the Internet who will use your work to expand their botnets.
higB, absolutely! but do not forget that there are many other people out there who are not willing to share any information publicly. there are many of them!
oh you mean where you said "Now, coding exploits has nothing to do with finding bugs… seriously… especially when all you want to achieve is a crash which can be replicated." Why would you only want to achieve a crash? It goes without saying that is only half of the exercise. No one's going to pay for code that only causes a fault, they want the exploit that goes along with it. Also the level of difficulty of coding exploits vs. finding bugs is subjective, I would not be surprised one bit to find those same sweatshops workers not only running fuzzers but also coding the sploits to go along with them... this isn't exactly quantum calculations, this is bottom feeding leg work.
knowledge should be free and accessible to all and we should be thankful to those that are provided to illuminate the way and share their knowledge with others, without any profit.
Jeremy RichardsJeremy Richards
"Dino, from purely business perspective, $75K is an impossible sum to get out of a vendor or a vulnerability disclosure program. For that amount of money any company can outsource a whole team of researchers specializing finding vulnerabilities in a single product." Excuse me but when a vulnerability is worth $75k on the vuln-black market we're talking about vendors with massive market penetration. We're talking Microsoft, Apple, Adobe, IBM, etc. From a purely business perspective, WTF is 75k to these companies? Let's pretend for a moment that Adobe could pay for that whole 0day issue to jut go away... do you think they would pay a 75k for that to never have happened? What was the impact on Adobe's image? their brand? The issue here is the same one that plagues the entire security industry - what metrics do we use to quantify the damage? If 75k was all it took to hire 'an entire team' of security researches to hammer away at a complex product (and it's not) then companies shouldn't damn well be doing it? If they're not... they should pay dearly. If I go out and buy a lawn mower and it has bugs... i can return it and get my money back... or at least get a new one without the bugs. If the bug in the lawnmower cuts off my foot (INSERT CONFICKER DAMAGE ESTIMATE HERE!) I'm effing pissed and I sue Lawnmower Co. If I go buy a Quicktime media broadcasting product and my .com gets pwned and I spend $??k fixing the internal breach can I sue? No. (Unfortunately) I agree that companies won't pay $75k for a game-over vulnerability in their product but that's because they aren't measuring the impact that their bad code has on their image and, more importantly, they aren't held accountable for the damage they cause around the globe when their shitty code breaks.
Jeremy, As I mentioned in the blog post, I would love to see security researcher getting paid more but not by the means of extortion. This approach will not only backfire soon but also it will undermine all of our hard work. I don't mind if you can get paid 75K for a bug. If you can and you are happy with the terms of the deal than you should do it. What I do mind is the whole no more free bugs campaigning. What the no more free bugs campaign promotes is not to disclose critical information unless certain demands are met. It sounds ridiculous and terribly wrong! Also, it is pretty subjective to talk about how much Apple and other software and hardware vendors are willing to pay for a bug. Keep in mind that if they know that a vulnerability in their products worths $75K they would have had a proper bounty program. As far as I know, Mozilla is one of the few vendors which offer bounties for bugs and they are not paying that much, i.e. you are not going to get rich. As a matter of fact, I hear that ZDI has bought some vulnerabilities for at least $50K in some instances. I am not sure if this is true but if it is than I guess the market is finding its own way to justify the cost. However, if bugs can be sold to vendors for $50K than why should anyone bother with pwn2own competitions where you are making a lot less then that?
The solution to this dilemma seems obvious. Instead of paying security researchers per bug found, pay them by the hour, or put them on salary. Pay full time security researchers around $75K a year (depending on skill and time worked), pay for their health care, a 401K, and/or other customary benefits in their country, instead of paying them per bug. Then the bugs get released when they are found, and shared with all other security researchers, and researchers get paid for their work. This system is preferable for most people to getting paid a lot per bug because if offers long term financial security for the researcher. Most people wouldn't risk a decent job for quick cash, and since selling bugs to shady 3rd parties would get them fired, as well as the other the potential consequences you mentioned, they'd have a big incentive not to do it. They could pay non-professionals something for submitting bugs, but the biggest incentive for a non-salary researcher to submit bugs would be to prove they're worth hiring. This is the system most academic disciplines use and works for most of them.