How do governments & cyber criminals develop the zero day exploits that they then use to infect your computer systems to steal data or eavesdrop on you?  Simple…  they buy them.

The going rates for exclusive use are thus:

ApplicationFrom ($)
To ($)
Adobe Reader5,00030,000
Mac OSx20,00050,000
Android30,00060,000
Flash or Java Plug-in40,000100,000
Microsoft Word50,000100,000
Windows60,000120,000
Firefox/Safari60,000150,000
Chrome or IE80,000200,000
IOS100,000250,000

 Source Forbes  

The market is made up of small companies such as Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln, in Malta.  There are also a range of brokers such as The Grugq who will act as intermediaries between the developers and the governments/crime syndicates as well as some major Defence Contractors such as Northrop Grumman and Raytheon.

In terms of how effective the exploits are:
The average Zero Day attack persists for 312 days before it’s detected, vulnerability purchase to public disclosure is between 133 and 174 days.

Attacks exploiting Zero Day before and after disclosure time


And how widespread?:
The Known Unknowns | NSS Labs has determined that on any given day over the past three years, privileged groups have had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe.  The NSA has a budget of $25M to purchase this kind of kit and GCHQ can’t be that far behind.

 

Leave a Reply