X-Force Warns of Malware Black Market

IBM's 2007 X-Force security report warns of a malware black market, in which it's vastly more profitable to sell security vulnerabilities than report them.

IBM Internet Security Systems has releases its 2007 X-Force Security Report (PDF) which found that the sophistication and complexity of attacks directed at Web browser rose dramatically in 2007, and that Internet criminals are now stealing identities and taking over unsuspecting users’ computers faster than ever before. While the overall number of acknowledged security flaws from software vendors actually dropped from 2006 to 2007, X-Force warns that may be because a lucrative black market has developed for security exploits.

“Never before have such aggressive measures been sustained by Internet attackers towards infection, propagation and security evasion. While computer security professionals can claim some victories, attackers are adapting their approaches and continuing to have an impact on users’ experiences,” said IBM’s ISS X-Force operations manager Kris Lamb, in a statement.

During 2007, network and software vendors acknowledged 6,437 security flaws, which represents a 5.4 percent decline since 2006. The drop marks the first time in ten years the number of exploits reported for a given year has dropped below the level of the previous year; however, the number of critical vulnerabilities increased by 28 percent. Also for the first time ever, the size of spam email messages decreased—all the way back to 2005 levels. X-Force believes this is due to a drop in image-based spam.

More disturbing is the black market which has developed around security flaws and exploits: cyber criminals are willing to pay significant amounts of money for a meaningful exploit that will enable them to take over computers, steal personal information, or otherwise make a profit. Computer enthusiasts who discover a security problem can get a fast payday by selling their findings to criminals, whereas reporting the problem responsibly to appropriate parties might earn them a “thank-you” and a mention in a ReadMe file. More troubling, software vendors may now be buying information on vulnerabilities so they can be fixed before the information goes public. The net result is a trend toward non-disclosure, where both the industry and the criminals are offering money to keep security flaws quiet.