This chapter discusses the possible growth of black markets (BMs) for software vulnerabilities and factors affecting their spread. It is difficult to collect statistics about BMs for vulnerabilities and their associated transactions, as they are hidden from general view. We conduct a disguised observation of online BM trading sites to identify causal models of the ongoing viability of BMs. Our observation results are expressed as a system dynamic model. We implement simulations to observe the effects of possible actions to disrupt BMs. The results suggest that without interventions the number and size of BMs is likely to increase. A simulation scenario with a policy to halt BM operations results in temporary decrease of the market. The intervention ultimately meets policy resistance, failing to neutralize a reinforcing feedback. Combining the policy with efforts to build distrust among BM participants may cause them to leave the forum and inhibit the imitation process to establish similar forums.
The vulnerability black market (VBM) discussions surfaced almost as the same time as the increasing public debates on the emergence of legitimate markets where vulnerability researchers can sell vulnerability information. The existence of black hat hackers has long been known; however, a recent trend is that they are becoming profit-seeking (Itzhak, 2006). In the past, they searched vulnerabilities mainly to improve their opportunity for financial gain through successful exploitation. Lately the black hat hackers are developing easy-to-use attack tools and selling them underground. However, most of the research on VBMs is scattered, with limited systematic studies.
Several security company’s reports, such as from IBM ISS X-Force (2007), PandaLabs (2007), and Symantec (2008) note the growth of malicious attacks, some of which may be the result of the limited circulation of zero-day vulnerability information. Symantec has been observing the black market forums operating in underground economy. According to Symantec’s report, the forums are likely to be used by criminals and criminal organizations to trade various goods and services for identity theft purposes. Therefore, Symantec’s report considers the emergence of black markets for zero-day vulnerabilities as a serious threat. However, it is premature to connect an increase in malicious attacks solely to the presence of VBM’s. The IBM report links underground sales and markets for Web-browser exploits to the obvious growth in targeted attacks against specific customers and sites. PandaLab’s report even reveals the price of malware kits sold underground. These data indicate indirectly that there are software developers and black hat attackers exchanging information about targets and tools. Such information exchange would be the core of a VBM. Basic questions emerge: Is the number of black markets increasing and how do the black markets spread?