The newly released Symantec Report on the Underground Economy discusses a number of topics, including the supply and demand of goods and services that were advertised for sale in the underground economy. This information was gathered by monitoring various IRC channels devoted to the commerce of these good and services. In particular, I’d like to highlight some of the things we observed in analyzing the trade in malicious tools.
One of the things we observed is that the underground economy is self-sufficient. What this means is that the tools necessary to produce goods and services are also available for sale in the underground economy. This indicates that the market has matured enough that productivity gains can occur through the division of labor; i.e., the economy makes it viable for individuals to increasingly specialize in the tasks they excel at. This is where malicious tools come into play.
Malicious tools of many different varieties are offered for sale in the underground. This includes exploits, vulnerability scanners, botnets, autorooters, spam/phishing kits, and tools for obfuscating malicious code. These tools play a part in generating many of the other goods and services marketed in the underground economy, such as credit card numbers, personal information, shells, banking credentials, etc. Therefore, the demand for these goods and services creates an opportunity for individuals with the skills required to develop malicious tools, and this helps to foster increasing specialization.
While the market for malicious tools is relatively small in comparison other goods and services such as stolen credit card numbers, the market appears to be productive enough to support the demand for these goods and services. One of our findings is that tools for discovering and exploiting Web application vulnerabilities were popular. This is because compromised websites can generate many different types of goods and services such as personal information, email addresses, shells, spam mailers, credit card numbers, etc.
Here are a few examples (all prices in USD):
• A scanner for remote file include vulnerabilities sold for an average price of $26, and ranged from $5 to $100.
• A scanner for cross-site scripting vulnerabilities was advertised for an average price of $20, and prices ranged from $10 to $30.
• Exploit links to websites that are affected by remote file include vulnerabilities were sold in bulk—100 links could be obtained for an average price of $34 and 200 links could be obtained for an average price of $70.
• SQL injection tools were sold for an average price of $63, and ranged from $15 through $150.
The trade in attack tools and exploits for Web-based vulnerabilities is one more example of how attackers are increasingly motivated by profiting from their malicious activities. Our report helps to show how the underground economy is maturing and becoming a viable source of alternative income for hackers, exploit developers, and authors of malicious code.
I should also note there is one small correction to the report based on recent events. In the report, we discuss the news that development of the Neosploit toolkit had ceased due to competitive from cheaper, less advanced toolkits. It appears that this no longer the case. A new version—Neosploit 3.1—has been spotted in the wild, sporting new exploits and features. Like legitimate software vendors, the developers of Neosploit are also concerned about the effect of piracy on their bottom line. To counter piracy, they have included new anti-piracy measures into this version. It is not known whether the news of its demise was merely a red herring or whether the developers decided to start developing a new version that incorporated features that could recoup some of the losses experienced from piracy or the prevalence of cheaper toolkits.
More information about malicious toolkits and other trends in the underground economy can be found in the Symantec Report on the Underground Economy.