Black Market In Bad Code

Time is the hacker's enemy. The countdown starts as soon as a hacker learns about a security loophole that makes an Internet site vulnerable to a break-in. Security and software firms have, by and large, succeeded in shortening this period, but hackers have responded in kind. They've created a brisk underground market for buying and selling "zero day" code—software that can be used instantly to exploit an as-yet-unsecured loophole.

Zero-day code is a reaction to the increased sophistication of firewalls and other computer protections. Many individuals and groups wanting to commit online fraud or theft no longer possess the skills needed to compromise computers. Likewise, many talented zero-day programmers lack the know-how to turn a computer intrusion into cash by, say, laundering money stolen from corporate pension-payment systems. Zero-day code bridges these two talent pools. It can be used to steal credit-card and banking information and install malicious software. "There are a lot of slow-burners out there that are generating large amounts of income and trying to remain under the radar," says Steve Santorelli, a former Scotland Yard computer-crime investigator now at Team Cymru, a Seattle computer-security consultancy to corporations and law-enforcement agencies. Online payment systems such as PayPal, which can provide users with more anonymity than bank transfers, have given the black market an "enormous" boost by providing sellers with an anonymous way to collect, says a Romanian hacker who would agree to be identified only by his online name, flo_flow.

This division of labor is making hacking a more productive industry. The market harnesses the expertise of hackers who have qualms about committing certain types of fraud or theft but are willing to sell zero-days to others who do the dirty work. Prices can reach tens of thousands of dollars for code that exploits vulnerabilities in widely used Internet browsers and PC operating systems, and Web-server software.

Many of the big-ticket sales pass through brokers with a reputation for honoring agreements. Some act as escrow agents, collecting purchase money and providing it to sellers (minus a commission) only after confirming that zero-days work. One broker in Bangkok, who spoke to NEWSWEEK on condition of anonymity because his work is illegal, says there is a "very, very large network" of middlemen. Some, including himself, broker licensing deals whereby sellers receive a monthly fee until security firms or software vendors discover and patch the vulnerability.

The practice is so widespread it's even spawned a legitimate market. Last July, the Swiss security firm WabiSabiLabi opened a legal online zero-day auction. Chief technology officer Giacomo Paoni says that more than 1,000 legitimate researchers have registered to sell their discoveries to security companies and software vendors eager to improve their services and products. TippingPoint and iDefense, two American firms, purchase zero-days from researchers to enhance their own security offerings.

These firms argue that by buying zerodays, they're keeping loopholes from criminals, thereby improving security. Critics say the practice only encourages the development of dangerous software—and who's to say how many buyers are hackers working incognito? There may not be many options to playing along: it's virtually impossible to stop trading by shutting down illicit marketplace Web sites and forums, says Mikko Hypponen, a computer-security expert in Helsinki who conducts training workshops for the Finnish Army. "They simply pop up somewhere else."