In many marketplaces, consumers don't have access to all the information they'd like to make a decision but still get to see and feel a product, like a toaster or a car, before buying it. The same cannot be said for the malware markets. Malware (and all software) is essentially information, so keeping products secret is often critically important. Take, for example, the interaction around the purchase of a software vulnerability. When purchasing a vulnerability, the buyer won’t be afforded the opportunity for a test-drive. Sellers have a strong interest in not revealing too much or else potential buyers may be able to discover the vulnerability themselves, thereby eliminating any incentive to pay for it. Further muddying the waters, when the buyer is a software vendor like Mozilla or Google, sellers have an incentive to spam the system, using alternate aliases to submit the same bug, hoping for multiple payouts.
A malicious software (malware) market is a network of organizations, individuals, and websites where malicious software is bought and sold. In these networks, monetization is key—profit often drives participation and participant behavior. These markets play host to services, in the form of customer support for products like botnets and offers to integrate different malware products into streamlined services. Popular malware used to steal banking credentials, like the Zeus trojan, are available for sale alongside offers to rent out exploit kits, which combine many different software vulnerabilities as a platform to infect as many users as possible. Where a country is unable or unwilling to develop their own malicious software, for surveillance or espionage or other activities in cyberspace, they can simply buy some from one of dozens of companies around the globe. Companies like Hacking Team, an Italian firm which sells surveillance software to governments along with training and support on how to use them, have a key role to play in these markets.
Malware markets act as a mechanism to spread malware to new and less capable users. If an individual criminal outfit cannot figure out how to build a tool themselves, they can simply outsource the problem. The rise of exploit kits was partly a product of the time and cost of discovering vulnerabilities and engineering exploits. As defenders evolve, these kits can keep pace by adding new vulnerabilities and dropping ineffective ones. For the governments of countries like Sudan or Ethiopia, these markets are a way to gain access to surveillance technologies and capability that they might not be able to develop on their own. Even advanced states like the United States and Israel likely buy in these markets, albeit for very specific information like vulnerabilities in Apple’s iOS.