2010 Fourth International Conference on Emerging Security Information, Systems and Technologies

Eliciting Information on the Vulnerability Black Market from Interviews

Jaziar Radianti
Security and Quality in Organization Research Group
Department of ICT, University of Agder
Grimstad, Norway
[email protected]

Abstract—Threats to computing prompted by software examine security researchers’ knowledge about, and attitude
vulnerabilities are abundant and costly for those affected. toward licit vs. illicit markets for software vulnerabilities.
Adding to this problem is the emerging vulnerability black
However, in this paper, the discussion focuses only on the
markets (VBMs), since they become places to trade malware and
exploits. VBMs are discussed based on information derived from
illicit part. Analysis of the results from interviews is
interviews with security researchers. The effort is enriched by implemented in a thematic way. The results seem to
further examination of documents surrounding the disclosure of strengthen the hypothesis that there may be two-tied
four selected vulnerabilities cases. The result suggests that the underground markets.
VBMs is bifurcated into two distinct parts; the skilled-hacker This paper is divided into 5 sections. Section 2 presents a
and the script-kiddie VBMs with a possible link between them, brief review on related work. Section 3 introduces the
where the latter become places to sell malware or exploit kits after approach and informants in this study. Section 4 describes
the zero day vulnerability have circulated through several hands the results, analysis, and the discussion. Section 5 contains
and might have decreasing value. conclusion and insights from this work.
II. RELATED WORK
Keywords-Software Vulnerability; Black Market; Interview.
Anderson et al. [6] consider VBM as an unregulated
market with certain attributes such as uncertain buyers, non-
I. INTRODUCTION excludability of the traded vulnerability, personal contact
Black markets for trading exploits, malware, viruses, and reliance and absence of guarantee to keep the vulnerability
stolen goods exist, and have been discussed in several papers secret. They focus on security metrics derives from price
and reports [1, 2, 3]. A rising trend in cybercrime, e.g., information. Hence, the VBM is regarded as less relevant due
phishing, identity theft, denial of service attacks, might relate to its non-transparency in pricing that hinders people to derive
to the underground activities. Recent empirical studies have direct and indirect security metrics from price [7]. In addition,
contributed to give better understanding of the vulnerability literature on vulnerability market models mainly discusses
black markets (VBMs) [1, 2, 4]. Their focus is to identify VBM as a theoretical position, thereby indicating that a
actors, commodities, estimated earnings, price, and operations question on its actuality remains open. Miller [8] shares his
the VBMs. Even so, a few issues are still unanswered, e.g., experience on selling a vulnerability, without further detail
there was a discrepancy between zero day (0-Day) exploit about VBM. Sutton and Nagel [9] suggest two underground
prices quoted by security media that were very high, and market models, i.e., purchased and contracted types, with
prices of malicious tools in observed sites that seem quite underground websites and Internet Relay Chat (IRC) as the
low. In addition, the fact about commodities advertised in the backbones for the VBM operation.
VBMs [5] triggers another question: are chances still A number of systematic, empirical studies have revealed
available for malicious agents to misuse the vulnerabilities the processes behind Internet black markets. Zhuge et al. [2]
even after they have already been patched? examine malicious sites in China for stolen goods from the
This article argues that there may be different black visible websites while Franklin et al. [1] and Symantec [3]
market structures that explain the price discrepancy of low observe the underground economy from a number of IRCs.
and high price of exploits. This article also discusses the These studies have expanded the understanding on VBM
possible connections between secret 0-Day exploit trading beyond the theoretical discussion. In this work, a qualitative
and the internet black markets, and the supply and demand approach is used to explore the likely link between the dark
for exploits in such a two-tied market structure. market for 0-Day exploits and the Internet black market on
Two indirect approaches are implemented to answer IRCs or black market forums on underground websites.
those questions. The first approach is to conduct interviews
with vulnerability contributors since first-hand informants III. APPROACH AND INFORMANTS
are very unlikely to be obtained, and will conceal their
unlawful behavior. The second approach is to use archival A. Approach
study to examine and verify four vulnerability cases pointed Qualitative online research was employed in this study,
by informants as being traded underground before their since “experts” in this study, i.e. white and grey security
disclosure. The interviews are part of a larger study to researchers and underground participants, were hard-to-reach

978-0-7695-4095-5/10 $26.00 © 2010 IEEE 143

154
DOI 10.1109/SECURWARE.2010.33
10.1109/SECURWARE.2010.23
informants, and had uncertain and scattered geographical of legal and black markets, the interaction of security
location. Email interview was regarded as an appropriate researchers in formal reporting institutions and legal and
method, since it gave freedom for interviewees to express black markets, and to explore policy issues related to
their knowledge based on their convenient time and vulnerability discovery. How their email addresses were
ascertained immediate contact with potential respondents obtained, and expected number of exchanges, were mentioned;
[10]. This method served as an indirect approach to and anonymity was ascertained. As to the underground
investigate VBM since it was difficult to find first-hand participants, similar steps were implemented, except without
informants who directly dealt with the VBM transactions. naming the author. Emails were directed to a “vulnerability
A few issues arose regarding the “expert” criteria in this research” address.
study and the way to recruit them. Bogner and Menz [11] Eleven informants gave their consent. Two respondents
suggest that an expert should have technical, process and preferred Instant Messenger interviews with appointment
interpretative knowledge that refer to a specific field, e.g., in instead of email. Four respondents were cooperative to
a particular organizational field or the expert’s own answer further questions through several email exchanges.
professional area. The knowledge cover a specialized subject One of them is a legal market organizer who was considered to
of field, or practical knowledge that incorporate a range of know the organizational knowledge on legal market practice
reasons for action, individual rule of decision, and pattern of and dealing with security researchers. A few informants
social interpretation. For this research context, a person who requested encrypted communications. Questions were sent after
possessed knowledge derived from practical everyday obtaining their consent. The reputation and contributions of
experience can be considered as an expert. Hence, experts each respondent could be consulted in the OSVDB data.
for this study are defined as people who have knowledge and Informants were categorized from a question: “Which of
experience in relation to the vulnerability discovery and the following categories describes you best (voluntary
trading, both in licit and illicit markets. security researcher, legal market researcher or “grey”
researcher, i.e., voluntary/legal market researcher that has
B. Recruiting Informants interaction as well with the underground)? Example types of
To select informants, we listed the contributors in legal questions for pursuing VBM information are:
markets (Vulnerability Contributor Programs and Zero Day ƒ When you found a vulnerability, how often did you
Initiatives) and vulnerability reporters (www.osvdb.org). consider/ implement the vulnerability channeling via this
The list of contributors from OSVDB was sorted according institution (post it in mailing list, notifying vendor quietly;
to the top frequent reporters. Next, the list was reorganized keep it secret as a private knowledge; sell it to legal
to those who had email addresses. Potential respondents markets; discuss it underground or develop exploits; or
from legal markets were identified from the list of sell it underground)? Can you explain the reason why do
advisories that credited the contributors. Underground you choose/avoid particular submission channels?
participants were identified from those who provided email ƒ May underground hackers be interested in participating
addresses in their postings in black market forums, i.e., vulnerability market program [with market examples]?
forums that had been observed by the author [4, 5]. The ƒ If you notice any kind of underground visible
potential respondents in underground category were very likely marketplaces that operated almost similarly to legal
not the first hand zero-day exploit sellers or discoverers. markets, could you explain about it? Is actually a black
Respondents were selected using a purposive technique, market for vulnerabilities available? Could you explain
to reach those who might be closer to our criteria. This was more about your answer? Are there any underground
conducted by identifying further the contributors in OSVDB buyers for vulnerabilities? Do you think that the
that were also credited in the legal market. The recruitment emergence of legal vulnerability markets will attract more
was a bit opportunistic—following the feasible tracks during security researchers to sell vulnerabilities to the legal
the research process, and requiring flexibility in order to market and prevent them from selling to the black
reach relevant informants. This study pursues detailed market? Could you explain further the answer?
information of a person’s thoughts, knowledge or experience The questions for black market participants were mostly
about the vulnerability discovery and trading, and is not intended to confirm the understanding about the online black
intended for making generalizations of the interview results. market operation and the role of moderators, motive of
If the same themes, issues, and topics are repeated from the participants to be involved in multiple forums and expected
interviewees, then a sufficient sample size has been reached. income from such activity, and confirm that most traded tools
Thus, sample size is not the main concern. in black market forums using known or patched vulnerabilities.
The first contact was intended to obtain consent from Example types of questions for a legal market organizer
selected informants in the OSVDB/legal market list. Several intended for pursuing VBM information are as follow:
strategies were considered in this early stage. A researcher ƒ Do you find any attempts from underground hackers to sell
and institution’s identity, and the motivation to contact them vulnerabilities to your company? Does the payment program
were clearly stated. It was intended to build trust, and also attract underground hackers?
prevent them from overlooking and treating the email as ƒ Does it happen that security researchers find underground
spam. The purpose of the interviews was declared, i.e., to buyers? Are there any known cases to refer to?
confirm the understanding about vulnerability discovery; to Respondents had freedom to share or not their knowledge
know more about uncertain issues such as the development and opinions. If relevant information for this study was

155
144
obtained in the first round but needed clarification, we IV. RESULTS
contacted them further. For instance, R2 said: “I think there
were approximately ten new really serious vulnerabilities A. What Kind of Markets?
sold in the past few years underground”. A further question As mentioned in Section 2, IRC channel-based and
was addressed in the next round, if examples of these website-based black markets are spreading. The suspicion
underground sales could be given. The MS08-078 case that these VBMs are also places for selling fresh 0-Day
discussed in Section 4 was among examples provided by the exploits comes from revealed commodities that mostly stolen
informant. Since more explanation on the case was needed, goods and malware, and cited price that quite cheap. This
documents, and news related to the MS08-078 disclosure section discusses the possible bifurcated VBM structure
were examined to verify this information. When other 1) Existence, A Stratified Market? No respondents were
respondents discussed the Gimmiv case and the price of JBIG2 in doubt about the existence of the VBM but their knowledge
(See Section 4), further communications were conducted to ask on detailed information was heterogeneous. For example, R5
further sources of the statements to verify the information. had an experience to be contacted by unknown buyers, while
C. Interpretation of Interview Results R6 only deals with the affected vendor when he discovers a
vulnerability. The underground markets were admitted by R2
Analysis of interview results stresses on thematic units— to be hard to summarize. R2 asserted to have observed
passages with similar topics which are scattered in the several underground marketplaces. R1 emphasized that
interview [11]. A variety of themes were grouped, so that hacker forums with a limited 0-Day exploits exist, but those
they could provide insightful meaning to this study. Hence, mostly focus on rare web-based software. Russia and China
historical order or dates of interviews are not central in the were cited by R1, R2 and R7 as locations of most VBMs. R1
analysis. VBM trading cases that were pointed out by noticed the on and off of black market forums during the
informants in the interviews, were doubled-check by years without noticing the price of the traded goods since he
examining documents about their disclosure in several was concerned with identifying the players in that field and
vulnerability databases (e.g., OSVDB, CERT, CVE). worked with the law enforcement for a takedown of the sites.
There are advantages and disadvantages of employing the According to R2, the VBMs manifest in various forms,
online interview. It extends access to participants and ranging from script kiddies’ forums into real business driven
sources that might be difficult to work with on a face-to-face auctions. In addition, there are agents who buy exploits from
basis. It eliminates transcription delay—a step after a single researcher and sell it to a few black market players.
conducting face-to-face interview, transcription bias, and R5 had been contacted by some unknown persons. R5 said:
ascertains immediate text data. The disadvantages are that “I have some requests...if I want to sell exploits for bug
this study was made with small samples, so that we cannot which have already been patched (or at least a patch has been
make generalizations from the interview results. The made available). Their demand for exploits is also big for
interview responses might be biased if the respondents’ known vuls [vulnerabilities]. Everyone knows how reluctant
responses repeated other sources instead of revealing their most people to patch their systems.” However, this informant
observation on actual system or experience. Conflicts of role considered himself as an ethical researcher, so that he denied
of a respondent in an organization may also result in biased of having any possession of 0-Day or finished exploits from
answers. Some efforts were made when conducting the known or patched vulnerabilities to sell.
interviews to minimize bias. Interview results about VBM of It appears that VBMs are complex systems, manifest in
a respondent who never dealt with any markets, was not various forms, stratified and made up of two parts—bifurcated:
aware of the VBM, or in a conflict position, were not script-kiddie market and skilled-hacker market. Complex
incorporated in the analysis. interactions may occur inside and between each branch.
The summary of respondents and email exchanges dates 2) Script-kiddie market: The VBMs discussed in a few
are presented in Table 1. When referring to the informants in empirical studies—both IRC-based and Website-based
the rest of this paper, the sources will be cited in accordance forums [1, 2, 4, 5]—might belong to this foundation part. It
to these codes. is the VBM base layer that serves as sites for searching easy-
TABLE I. RESPONDENTS’ CODE AND INTERVIEW DATES to-use exploit kits, malicious code, stolen goods and botnets.
These tools were targeting known and patched
Code Date of Interviews vulnerabilities. The sites mediate the demand from potential
R1 June 13, 2009; July 1, 2009 buyers and the supply from the malware coders. In spite of
R2 June 10, 2009; June 14, 2009; July 30, 2009 being considered as script-kiddies’ forums, the actors
R3 June 10, 2009; June, 26 2009
possibly also include intermediate and expert hackers—since
R4 June 12, 2009
R5 June 10, 2009; July 20, 2009 coding malware needs better skill than merely to follow the
R6 June 24, 2009 script. Creating online-regulated forums was regarded by R5
R7 June 20, 2009 as a way to demonstrate the “trustworthiness” of the site.
R8 June 3, 2009 Since these forums are numerous, the actor’s involvement in
B1 December 18, 2008; January 29 and May 30, 2009 multiple forums is common. To expand the meeting
B2 January 26, 2009 possibilities with buyers and sellers, to learn the new tools, to
B3 March 3, 2009 compare price, or to find wider selection of tools are
common motives, according to B1 and B2.

156
145
 Nevertheless, R2 rejected the term "public market" to R2 estimated that ten “big” vulnerabilities were sold in
refer any underground markets, because the dark business past few years underground, and specified a few examples.
will not rely on the “openness.” Perhaps, this opinion was in To elaborate this skilled-hacker VBM, 0-Day underground
line with the known basic trait of malware-type markets, where sales and the attempts to develop exploits after patch
tight rule and intermittent availability to keep the forums announcement, four cases (MS08-067, MS06-001, JBIG2
hidden were applied, thus making them difficult to be regarded and MS08-078) were examined. They were referred by a few
as “public markets”. In this base layer VBMs, malicious tools interviewees during series of the email exchanges.
are developed from known and patched vulnerabilities and
traded, as also mentioned by B3. Developing exploits from old B. Stories around Vulnerability Disclosures
vulnerabilities is also common among legitimate researchers, 1) MS08-067 Case: It is a critical vulnerability that
but only to demonstrate some new exploitation technique. A affects Windows Microsoft products. R1 referred it as a good
few informants considered the economic value of exploits case where underground actors mishandled a perfect 0-Day
from old vulnerabilities to be too small to be pursued. exploit (See Microsoft Security Bulletin MS08-067). The
R2 deemed that the malware development from known attackers were rushing, used unfinished exploits that would
vulnerabilities is more a kind of stable employer-employee hinder the exploit success rate. The so-called Gimmiv
connections. Recent increasing number of spam delivered malware that was put in the exploit, was riddled by bugs, and
from compromised hosting servers, and attacks against web not well coded, but it was still able to infect hundreds of
applications, was considered by this informant to be a part of machines. Gimmiv was deployed on September 29, 2008. R1
the underground actors’ action. If this is becoming common assessed that if the malicious actors had taken their time to
black market practices, R2 estimated that huge markets for test and develop the exploit code for MS08-067, the attackers
web applications vulnerabilities may develop. could have surprised the world and attacked millions of
3) Skilled-Hacker Market: It is a VBM top layer. A serious computers in single day. The vulnerability and patch were
VBM for “big” 0-Day exploits would not be institutionalized, announced simultaneously on October 23, 2008.
e.g., by establishing online forums. According to R5, no-one R1 explained that the Gimmiv being deployed in the
could know the exact operation, if they are not insiders. R5 form of a worm evoked flashbacks of Blaster and Sasser but
furthermore stressed: “Black markets exist, they pay a lot of unlike these two worms, Gimmiv turned out to have infected
money, they are all anonymous (no names, no addresses), they scarcely any networks (See also “Tracking Gimmiv”, an
want a working exploit code”. The interviewee provides as an article in www.secureworks.com). Fortunately, some mistakes
example a request for exploit that include DEP-evasion made by the author(s) of Gimmiv had enabled third parties to
(Data Execution Prevention) and tools to attack Vista. download the logfiles of the Gimmiv control server.
R4 noticed that most “big” 0-Day exploits were only sold MS08-067 had drawn a quick reaction from underground
underground. A few sales were known after the 0-Day actors by creating a few modifications of the exploit. Further
exploits were discovered in the wild. One type of skilled- examination on this case revealed that the
hacker market is an individual-based request model. R4 W32/Conficker.worm was disseminated (22 November 2008)
explained that it is conducted by offering contracts to and exploited the already patched MS08-067 vulnerability,
security researchers to investigate or audit specific software only a month after the update. The Chinese were first to
with quite tight non-disclosure agreements. release a malware exploitation kit. Initially, the tool was
A serious VBM focuses only on a limited number of created with a commercial intention and offered at $37.80,
vulnerabilities (common browsers and remote vulnerabilities before it leaked to the general public. An advanced feature of
in most popular operating system/applications). But, R2 and the worm was the ability to patch the infected host in order to
R5 agreed that recently it was extremely hard to find that ensure that competing malware would not be able to misuse
types of vulnerabilities. This explains why only a few “big” the same hole. The worm could infect an unpatched
vulnerabilities sold underground leaked to the public. Microsoft Windows system with the MS08-067 patch.
Aside from the risk of the involvement in the VBMs, This case was discussed by security community as the
most respondents deemed that the potential payment from increased sophistication of the malware authors that designed
the skilled-hacker VBM is bigger than the legal ones. Thus, Conficker. The real threat of the worm stemmed from
the most tangible difference between skilled-hacker vs. script scanning modules introduced within larger botnets. The
kiddie market is price. Malicious tools on the “base layer” malware spread were also highly profits driven, and more
markets are relatively inexpensive. But sellers can earn good organized. A modification of the Conficker was even
from multiple sales, as described by B1 and B3. In the skilled- circulated on April 9, 2009, updating earlier infections against
hacker VBMs, the 0-Day price can reach four digits US dollar. unpatched systems. This case showed an example of VBM
In one of interview series with R5, informant reveals his trading, and that malicious agents persistently found ways to
only experience dealing with an untrustworthy buyer. He exploit patched vulnerability by creating new malware.
provided figures that “A <product name> remote code 2) JBIG2 Case: R3 cited the JBIG2 vulnerability in
execution vulnerability at <a legal market> will cost $2,500 Adobe Reader and Acrobat as an example of a vulnerability
while the same bug in the underground could be worth that was discovered in the wild and exploited after having
$30,000”. R5 gave further note: “This is not a wild guess, but a been patched. By persuading a victim to open a malicious
number I can confirm. This was the only time I did a deal with PDF file, a remote attacker could cause the application to
a buyer I do not trust 100%...” crash. The vulnerability was solved by releasing Adobe

157
146
Acrobat 8.1.4 to update 8.1.3 version and 9.1 to update 9 disclosure for approximately $15,000. Second and third hand
version. In a short time, 'no-click' variant to exploit JBIG2 exploits were traded for about $650. It was spread into the
vulnerability appeared, where the victim did not need to public when a buyer used the second hand exploits to develop
actually open a malicious file. The update on March 10, 2009 and deploy Trojans. A computer could be infected with
was issued to solve the JBIG2 security issue. malicious software merely by visiting a Trojan-based website.
The JBIG2 exploit was supposedly sold on the black
market for $75,000, prior to the disclosure on February 19, C. Discussion
2009 (http://www.dojosec.com/?p=92 was cited by R3 as a The cases described in Section B are examples of VBM
source of this information; last accessed 15 February 2010). trading, and intended to verify information on VBM cases
JBIG2 case was discussed a bit with another respondent, R2 pointed by informants in the interviews. The idea that VBMs
who believed there was underground trading involved in are stratified, comprise skilled hacker and script-kiddie
JBIG2 disclosure, but was in doubt about the quoted price. markets, was strengthen by the discussion of these four cases—
Three months later, multiple JBIG2 vulnerabilities were WMF, JBIG2, MS08-067 and MS08-078.
again discovered and new security updates were released in Thus, the offers of expensive secret 0-Day exploits occur
June 9, 2009. Thus Adobe Reader and Acrobat 9.1.1 (and in skilled-hacker VBMs that are mostly covert. The business
earlier) were again updated into a 9.1.2 version. It is another model of this market could be auction-driven style,
example of vulnerability underground trading, and also employee-employer relationship and individual request-
illustrates that updates did not cause malicious agents to give based contract. The buyers are difficult to identify. Players in
up exploiting the patched vulnerability. this area are more interested in popular products. R5 noticed
3) MS06-001 Case: The MS06-001 or Windows Meta that some newly released software products came with many
File (WMF) case is an example that had sparked discussions new security technologies that can hardly be exploited. It might
on the emerging VBM. First discoverer of WMF vulnerability be frustrating for beginners, and might keep them away from
was unknown, but security companies could identify agents diving deeper into the bug hunting world. This may also
who were involved in creating and distributing the exploit [12]. explain why only a few “big” vulnerabilities sold underground.
The vulnerability was discovered in the wild on December 27, The script-kiddie VBMs appear in institutionalized form,
2005. WMF exploits were purportedly sold in the underground as websites with bulletin board and IRC channels as
markets by two or three competing novice hacker groups who supporting infrastructures. The markets focus on malware
were unaware of the nature of the vulnerability for $4,000. kits and make use of old vulnerabilities. The buyers might
The exploit was sold to multiple malicious buyers and include script kiddies or less skilful hackers.
was widely used on malicious websites to spread spam, This study also looks at possible links between skilled-
adware and spyware and to promote a “pump and dump” hacker and script-kiddie VBMs. How can one explain the
scheme, and caused the exploit to become public. The spam behavior of the supply and demand in such two-tied market?
spread over the Internet from a company called Smallcap- The behavior of this two-tied market is comparable to a
Investors, which promoted a Chinese company called Habin market for vegetables or milk since both have similar
Pingchuan Pharmaceutical. In the “pump and dump” scheme, properties to 0-Day exploits and malware: time-sensitive
once the value had increased, they dumped their shares and commodities. When they are fresh, people will buy them at
made profit [9]. A couple of days after the update, the two the market price. However, when these products turn old, only
bugs in WMF including exploits were found. The discovery few consumers will buy them. In the milk market case, nobody
time was also unclear. These findings created more possible wants to take a risk of being sick from consuming expired milk.
attack methods using WMF, i.e., when users were tricked To prevent from suffering the maximum loss of potential
into opening email with infected ".wmf" files using WMF income, the seller may lower the price before the
viewing software. The WMF case also shows similar commodities completely lose their values. Thus a few
patterns as the two earlier cases. consumers would possibly still buy the vegetables. In a milk
4) MS08-078 Case: This case is mentioned by R3 and case, instead of lowering price, the producer may transform
refers to a vulnerability that affected Internet Explorer (IE) 7 milk into products with better economic value and less time-
and earlier versions. MS08-078 was disclosed and patched sensitive, e.g., cheese or butter. The script-kiddie VBMs may
simultaneously on December 10, 2008, after it had been serve a similar function. These are places where hackers still
exploited in the wild (See further technical details of this have a chance to gain extra income before the value of
vulnerability in Microsoft Security Bulletin MS08-078). exploits completely disappears, or earn from selling products
On December 9, 2008, a 0-Day downloader Trojan that as a modification of public exploits that are hidden by special
exploited IE7 was detected in China. The exploit has been obfuscators for penetrating vulnerable machines.
integrated into exploit toolkits and used to install information- Fig 1a and 1b illustrate the supply and demand in the
stealing Trojans that target online games. According to the VBMs using the bifurcated notion. In Fig 1a, D1 represents
iDefense Press Release on December 10, 2008, the Chinese the demand curve for 0-Day vulnerability and S1 captures
knownsec security team released an advisory on December 9, the supply for 0-Day exploits by a black hat hacker.
and stated that the exploit code was leaked by one of their Exclusivity of the 0-Day are demanded in black markets, i.e.,
members who had mistakenly assumed that this issue dealt only sold to a few buyers or even one buyer only, the supply
with a patched vulnerability. IE7 vulnerability supposedly had curve is illustrated as a perfect inelastic. In other words, the
been traded underground two months prior to the public quantity of 0-Day is fixed (small, or even only one piece).

158
147
 acts as a broker and resell to multiple second and third
buyers with decreasing price. MS08-067, MS08-078 and
MS06-001 are examples for explaining this link.
3) Underground trading in the skilled hacker market seems
not large since the players focus on leading, popular products.
4) The endpoint of 0-Day trading is the base layer
markets—script-kiddie markets, internet black markets. They
serve as sites for selling any products from the exploit
modifications after the price has decreased over time, and to
prolong the commercial value as well as reaching more buyers.
In these sites, hackers still have a chance to gain extra income
before the value of the exploits completely disappears.
Figures 1a and 1b Supply and Demand in Bifurcated VBM. 5) Skilled hacker and script kiddie-layer VBMs are
Definitely, the seller prefers a higher price, and thus the basically unregulated markets, with time and secrecy as main
curve is located on the left side. Demand curve is elastic: factors that affect the supply and demand behavior.
more products are demanded when the price is lower. It This study shows that malicious agents never give up
implies that only buyers who are willing to pay a high price finding new methods to exploit the weaknesses in the
would get the product. The intersection of S1 is Pzd, i.e., software, and VBMs facilitate this effort. Thus threats from
price of 0-Day at P5 (high price) and Q1 (very few buyers). the VBM presence to computer users are evident.
Since vulnerability is a time-sensitive commodity, the
ACKNOWLEDGMENT
same vulnerability needs to circulate quickly, particularly
when the second-hand buyer demand exists. S2 is a brokered I’m grateful to the interviewees for this research.
0-Day supply curve. The new supply curve will lie on the
right of S1, implying that the seller offers more quantities REFERENCES
(Q2) at lower price (P4), so that the market price would be [1] J. Franklin, V. Paxson, A. Perrig, and S. Savage, "An Inquiry into the
Psb—if the demand curve (D1) does not change. Holding 0- Nature and Causes of the Wealth of Internet Miscreants," presented at 14
th ACM Conference on Computer and Communications Security (CCS),
Day longer triggers the risk that the value will fall near to Alexandria, VA, USA, 2007.
zero, Pnz, because more people know the 0-Day. The near to [2] J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou, "Studying
zero price demand curve is D2, a shifting from the initial D1. Malicious Websites and the Underground Economy on the Chinese
This is undesired from a supplier perspective. Website," in Managing Information Risk and the Economics of Security:
Two possibilities are open to mitigate the risk of losing Springer US, 2009.doi: 10.1007/978-0-387-09762-6_11.
[3] Symantec, "Symantec Report on Underground Economy July 07-June
value: First, to sell 0-Day with a cheaper price (P2), but 08," Symantec Enterprise Security 2008, <http://eval.symantec.com/
higher than the value when the vulnerability leaked to the mktginfo/enterprise/white_papers/b-whitepaper_ underground_economy_
public. Thus, the demand curve only shifts to the D3, with report_11-2008-14525717.en-us.pdf>. Access date:April 20, 2010.
Pcp price at the same quantity, making the profits better. [4] J. Radianti, E. Rich, and J. J. Gonzalez, "Vulnerability Black Markets:
Second option is shown in Fig 1b. Instead of selling in a Empirical Evidence and Scenario Simulation," presented at The Forty
Second Annual Hawaii International Conference on System Sciences The
cheaper price, the seller creates malware on the top of the Big Island, Hawaii, 2009. doi: 10.1109/HICSS.2009.504
vulnerability and exploits, and is illustrated by the third supply [5] J. Radianti and N. Ulltveit-Moe, "Classification of Malicious Tools in
curve (S3). It would results in greater demands since VBMs for Underground Markets for Vulnerabilities," presented at Norsk
malware are bigger. The price would be Pm (malware price) informasjonssikkerhetskonferanse (NISK), Kristiansand, Norway, 2008.
when the Price=P3 and quantity at Q3. This condition creates [6] R. Anderson, R. Böhme, R. Clayton, and T. Moore, "Security Economics
and the Internal Market," European Network and Information Security
a greater demand, and greater profit. All three supply curves Agency 2009, <http://www.enisa.europa.eu/pages/analys_barr _incent_for
are inelastic, since sellers will likely maintain exclusivity of _nis_20080306.htm>. Access date: April 15, 2010.
the products, to make the malware attractive to potential [7] R. Böhme, "A Comparison of Market Approaches to Software
buyers. This description is an effort to understand the Vulnerability Disclosure," presented at International Conference, ETRICS
possible VBM players’ decisions, and the VBM supply and 2006, LNCS 3995 Freiburg, Germany, 2006. doi: 10.1007/11766155_21.
[8] C. Miller, "The Legitimate Vulnerability Market: Inside the Secretive
demand, and thus make the link of bifurcated VBMs clearer. World of 0-day Exploit Sales," presented at Workshop on Economics of
Information Security, Pittsburgh, USA, 2007.
V. CONCLUSION [9] M. Sutton and F. Nagle, "Emerging Economic Models for Vulnerability
Expert interviews and documentation trace about Research," presented at The Fifth Workshop on the Economics of
Information Security (WEIS), Robinson College, University of
vulnerability disclosures pointed by informants are useful to Cambridge, England, 2006.
elicit further knowledge on the VBM construction. Insights [10] C. Mann and F. Stewart, Internet Communication and Qualitative
derived from this study suggest several things related to this Research. London: Sage Publications, 2000.
bifurcated market: [11] A. Bogner and W. Menz, "The Theory-Generating Expert Interview:
1) 0-Day exploit price in VBM is extremely high, Epistemological Interest, Forms of Knowledge, Interaction," in
particularly compared to the legal market offers. See e.g., Interviewing Experts, A. Bogner, B. Littig, and W. Menz, Eds.
Basingstoke, Hampshire: Palgrave MacMillan, 2009.
JBIG2 case, MS08-078 and a report from one respondent. [12] R. Naraine, "Researcher: WMF Exploit Sold Underground for $4,000 " in
2) 0-Day might be traded through several hands. First eWeek, 2006.
buyer might purchase exploits with a high price, but later

159
148