14 DAY TRIAL // At the end of May, news broke about a Russian hacker selling a zero-day vulnerability affecting all Windows versions for $90,000. According to Trustwave, the company that's keeping an eye on the zero-day's ad, the crook has lowered the price to $85,000.
The vulnerability was initially put up for sale at $95,000, and this is the second price cut the seller has granted buyers.
Softpedia has contacted Craig Young, computer security researcher for Tripwire, in the hope of getting some insights into why a zero-day affecting all Windows versions would be so hard to sell.
This might not be an exclusive sale
"A couple of theories come to mind," Young told Softpedia. "My initial thought is that perhaps this is not actually an exclusive sale, as the author has claimed, and that in fact it has already been sold to one or more customers. It may be that the vendor has a questionable reputation or that they are simply asking too much for the exploit."
This is not a stretch to believe. Hackers have a bad reputation for keeping their word, and most of them would gladly tell a lie for a quick sale and just change their nickname down the road.
While most run veritable marketing campaigns among fellow crooks to advertise their hacks and boost up their reputation, the term doxing did emerge on the Dark Web, and it was initially used to oust hackers who didn't follow suit on their promises.
Young, a former software engineer with IBM and later a security expert with ncircle and Tripwire, has also pointed out another problem with the zero-day listing.
The zero-day is not really that useful without other malware
"The type of exploit described requires that the attacker already has access to run programs on a targeted computer and would not work to exploit users with common web-based attacks," Young says.
In fact, the hacker, named BuggiCorp, is selling a simple local privilege escalation (LPE) vulnerability. This type of threat, as Young told Softpedia, can't be used on its own to compromise a system.
The zero-day put up for sale is what industry experts call a second-stage exploit that can be used to elevate the low-level privileges of a basic malware downloader to higher execution levels. In the zero-day's case, it's the highest level available on Windows PCs, the SYSTEM level.
LPE zero-days aren't worth $90,000
"While browser exploits and remote code execution bugs have been documented as fetching considerably more than $90K, a local privilege escalation is a completely different product," Young adds.
A list of zero-day prices revealed by exploit broker Zerodium last November shows that Windows LPE zero-days are only valued about $30,000, which means the hacker will have to cut more from his asking price to have a chance of selling his zero-day in the upcoming months.
Generally, the zero-day exploits that bring in more money are offensive hacks as RCE (Remote Code Execution) vulnerabilities or any other exploit that can be carried out from remote locations, like via a Web page.
BuggiCorp's zero-day, even if it works on all Windows versions and can also bypass the EMET security toolkit, is actually useless without a method of penetrating a user's system.