Windows Zero-day Exploit for Sale: Bids Start at $95,000

Trustwave SpiderLabs has discovered a 0-day Windows exploit being offered for sale on an underground forum for Russian speaking cyber criminals. Although the researchers cannot be absolutely certain that the exploit is genuine, they suspect it is – and further expect that the exploit will find its way into criminal hands.

Zero-day exploits regularly change hands. Criminal gangs buy them for their own use, brokers buy them for onward sale, and surveillance companies buy them for use with their own products. But it’s a difficult market that requires a degree of trust in a nefarious activity. Last year’s analysis of the emails leaked after the Hacking Team breach demonstrate some of the problems. An analysis by Vlad Tsyrklevich showed, for example, a degree of distrust between Hacking Team (buyer) and the well known, and in its own circles widely trusted, Vupen (broker).

For such reasons, the sale of 0-day exploits usually involves people who know people. It was a surprise when Trustwave’s SpiderLabs came across an alleged 0-day being offered for sale openly on an underground forum for Russian-speaking cyber criminals. The forum in question is usually used as a collaboration platform “where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites, or even rent a whole botnet for any purpose,” writes SpiderLabs in a new blog post today. “However,” it adds, “finding a zero day listed in between these fairly common offerings is definitely an anomaly.”

The 0-day is described as a local privilege escalation (LPE) that works on all current versions of the Windows operating system, from XP to Windows 10. It was put on sale at offers above $95,000. SpiderLabs makes it clear that it cannot be certain that the 0-day is genuine, but adds, “the offer is likely a valid zero day, and that the asking price is likely to be met by an interested cybercriminal.”

One argument for its validity is the pains taken by the seller to present his case. This includes an extensive description of what the buyer will get that shows an understanding of the market. He demands payment in bitcoins, and for the deal to be conducted via the forum’s admin.

The original offer was posted on 11 May. It was updated on 23 May, lowering the price to $90,000 and confirming that it would be sold exclusively to one buyer. This could suggest fewer bids than anticipated on the one hand, but perhaps approaches demanding exclusivity on the other.

The seller also provided two YouTube video demonstrations of the exploit in action. “It is interesting to note,” writes Trustwave, “that the video was actually recorded on ‘Patch Tuesday’ and the author made sure the latest updates were installed.”

Trustwave points out that LPE 0-days are probably second only to remote command execution (RCE) 0-days in the value pecking order. Although an LPE exploit “can’t provide the initial infection vector like a Remote Code Execution (RCE) would, it is still a very much needed puzzle piece in the overall infection process.” Furthermore, “an LPE exploit provides the means to persist on an infected machine, which is a crucial aspect when considering APTs (Advanced Persistent Threats).”

This particular exploit appears to have advanced potential. According to the seller, it could escape from a sandbox, enable the installation of a root kit on ring0, modify system properties to allow persistence, and download and install additional malware even where software installs are restricted to admins.

If the exploit is as good as described, and if it is bought and used sparingly in targeted attacks, then it could become a serious new menace. Once it disappears from the forum, we could easily lose track. Ziv Mador, VP of security research at Trustwave, told SecurityWeek, “In the later post the seller mentioned that the 0-day would be sold exclusively to a single buyer. Therefore, if it is removed, it may mean that it was sold.” But he doesn’t know if we will ever be able to recognize its use by criminals in the future, nor whether it is likely to disappear into the arsenal of a state-sponsored espionage group.