New America

What Products are Available on the Malware Markets?

What Products are Available on the Malware Markets?

The malware markets contain everything from simple software programs to crack passwords to companies offering governments a one stop shop for surveillance and espionage. Some of these products are highly valuable; one company, Zerodium, advertises a $1.5 million payout to anyone willing to sell zero day vulnerabilities in Apple’s iOS operating system. NSO Group, an Israeli company that was caught having sold surveillance malware to the UAE to monitor human rights activists, has been valued at more than $1 billion. Alongside this big business are groups that lease access to ransomware and rent time on botnets for just hundreds to thousands of dollars a week. This dichotomy in prices and offerings has helped create a two-tiered market, with a larger lower level conducting business in online marketplaces, and a small upper level working through social networks and encrypted communications.


The markets encourage specialization so that certain criminals build an entire business around developing, maintaining, and selling different kinds of malware and criminal services to give their customers up to date access to massive number of potential targets. Imagine an attacker who stumbles upon the leaked source code for a piece of malware like Zeus or a sample of ransomware and rents time on a ready-made exploit kit or botnet to distribute it? Without ever writing a line of code, a criminal is born.

Spectrum of Products

1st Tier—Component Vendors


Discovering Vulnerabilities: Within the malware market, many actors work to discover new vulnerabilities and sell or use them. For most malicious software, even well known vulnerabilities can prove useful.

Selling Exploits: Exploits are code that take advantage of a software vulnerability to get malware’s payload on the computer or help it function.

Writing Payloads: A payload is code that does something on the target, like generating money, causing physical destruction, or stealing information.


2nd Tier—Integrators


Exploit Kits: These kits are used to exploit many vulnerabilities, giving their users choices in how to upload and execute malicious code on a range of different targets. Essentially, they are used to deliver payloads that users can specify.

Building and Renting Botnets: Numerous suppliers provide the ability to rent time on premade botnets. This allows users to harness existing implementations with their own custom instructions.

Services: Some criminals will offer different kinds of malware, integrated with an exploit kit or other tools to infect computers. Ransomware—malicious software that encrypts files on a target computer in exchange for a ransom—can even be sold as a service, with customers paying back a portion of the profits in exchange for use of a new piece of malware.


3rd Tier—Full Service


Companies: Within the malware markets, some actors act as one-stop-shops for all their customer’s malware needs. These groups deliver everything from specific malware payloads to user training and complete software-as-a-service approaches. These companies implement all the stages a customer requires, potentially integrating software from different vendors to present a polished product.

Explore Products

Goods and Services Available on the Malware Markets

Click the categories to read more.

Prev. Section
What Are the Malware Markets?

About this Project

Computers and computer systems are becoming ubiquitous, managing everything from government databases, to grocery transactions, to activity on our own phones. However, these systems don’t come without their vulnerabilities, and their exploitation has never been in such high demand. So where does malicious software—the code designed to exploit these vulnerabilities—come from? 

This started as a project developed by Luke Heine and Brian de Luna of Harvard College in consultation with Trey Herr for CS 105: Privacy and Technology. Major credit to Kirk Jackson for his help with the graphic redesign. Additional thanks for feedback and support from the New America Cybersecurity Initiative including Rob Morgus, Joanne Zalatoris, and Ian Wallace. Thank you to Jim Waldo for the idea and Ben Buchanan for his review.

Authors

Brian de Luna is a data scientist at Airbnb. He has done a range of side projects that include data visualizations and analyses on topics ranging from malware markets to venture capital funding.

Luke Heine is a director at the Lab for Entrepreneurship and Development at the Harvard Institute of Quantitative Science. His research includes how risk is legitimised by capital and the bottlenecks of cluster formation. 

Trey Herr was a fellow in the Cybersecurity Initiative and formerly with the Belfer Center's Cyber Security Project at the Harvard Kennedy School. His work focuses on trends in state developed malicious software, the structure of criminal markets for malware components, and the proliferation of malware. 

Project Outline:

Dataset:

* If using Safari or Internet Explorer, right-click download link and select "Download Linked File"