New America

Who is Involved with the Malware Markets?

Who is Involved with the Malware Markets?

Marketplaces for malware exist on the web and between individuals and many different types of transactions take place in these markets. There are essentially two overlapping markets for malicious software. The “defensive market” is home to software vendors and firms working to obtain software vulnerabilities in order to develop patches. The “offensive market” is home to states and criminal groups, actors purchasing components and services in order to compromise computer systems. There are many common goods between the two—vulnerabilities, for example, are simply information and can be rediscovered by many parties or traded at no marginal cost and provide value to vendors and attackers alike. The “defensive market” buys through different mechanisms, however, with greater transparency through competitions and even some publicly available bug bounty leaderboards. The “offensive market” resembles a more traditional illicit marketplace with highly opaque transactions and a larger role for intermediaries to manage uncertainty and reputation across participants.

Governments participate in these markets. As offensive actors, governments purchase everything from vulnerabilities to entire surveillance systems. Organizations like the FBI may find themselves unable to solve difficult technical problems, turning to companies to overcome challenges like a locked iPhone. Countries without the technical chops to build surveillance malware themselves, like Mexico, use the markets for malware to outsource jobs or development to a third party. The resulting tool could be expensive, in the order of millions of dollars, even if only useful for a short time. As defensive actors, governments encouraging security standards that make attacks more difficult and even driving disclosure of vulnerabilities with programs like Hack the Pentagon.

Companies play a major role as well, both offensive and defensive. Software vendors produce software whose functionality is manipulated by attackers. Many of these same companies offer bug bounty programs, small cash payments in exchange for identifying flaws in their software, act as a form of competition to those looking for vulnerabilities for malicious purposes. Netscape, the company which would become Mozilla, was one of the first to offer such a program back in 1994 for the Netscape browser. Today, dozens of organizations have bounties programs including Google, Microsoft, and even Apple, while companies like BugCrowd and HackerOne offer to build and run bounty programs for other firms. Some of these vulnerabilities might otherwise flow to offensive actors, including companies like Zerodium. These brokers buy and sell to a variety of groups, including non-state actors and governments.

Market Dynamics

Offensive Players

The offensive markets are closer to what we usually think of as a criminal marketplace - it consists of players who wish to purchase products and services to compromise computer systems. The use of such malware without permission is often illegal so many of these transactions take place outside of easy observation like on websites using Tor or similar sites on the Dark Web--a part of the Internet only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable.

Major Players

States: which are mainly interested in tools for espionage or surveillance. This market is especially useful to states that do not have advanced capabilities themselves, such as the Republic of Sudan, and are able to purchase tools put together by others.
Criminal Groups or Individuals: whose identities and motives vary. An example of one of these players is the criminal group who gained access to many of Target’s credit card transactions in 2013.

Defensive Players

The defensive market functions largely in reaction to the offensive market and for companies who are increasingly eager to acquire information to help protect their products. Vulnerabilities are purchased by organizations so that these flaws in software can be identified and subsequently patched. The purchases function as a form of identification rather than of actual use. Because of the nature of this market, it tends to be more open and transparent, involving large-scale bug bounty programs and publicized competitions, one being Pwn2Own.

Major Players

Vendors and Corporations: Many of the largest tech companies, including Google, Facebook, and Microsoft have extremely active bug bounty programs and competitions, which offer cash rewards in return for identifying vulnerabilities.
States: This is an extremely small portion of the market. However, government organizations, like the U.S. Department of Defense, have also started bug bounty programs that pay individuals to find bugs on governmental websites.

Edit (September 6, 2017): We have added text and links to clarify how brokers buy and sell to different groups.

Prev. Section
What Products are Available on the Malware Markets?

About this Project

Computers and computer systems are becoming ubiquitous, managing everything from government databases, to grocery transactions, to activity on our own phones. However, these systems don’t come without their vulnerabilities, and their exploitation has never been in such high demand. So where does malicious software—the code designed to exploit these vulnerabilities—come from? 

This started as a project developed by Luke Heine and Brian de Luna of Harvard College in consultation with Trey Herr for CS 105: Privacy and Technology. Major credit to Kirk Jackson for his help with the graphic redesign. Additional thanks for feedback and support from the New America Cybersecurity Initiative including Rob Morgus, Joanne Zalatoris, and Ian Wallace. Thank you to Jim Waldo for the idea and Ben Buchanan for his review.

Authors

Brian de Luna is a data scientist at Airbnb. He has done a range of side projects that include data visualizations and analyses on topics ranging from malware markets to venture capital funding.

Luke Heine is a director at the Lab for Entrepreneurship and Development at the Harvard Institute of Quantitative Science. His research includes how risk is legitimised by capital and the bottlenecks of cluster formation. 

Trey Herr was a fellow in the Cybersecurity Initiative and formerly with the Belfer Center's Cyber Security Project at the Harvard Kennedy School. His work focuses on trends in state developed malicious software, the structure of criminal markets for malware components, and the proliferation of malware. 

Project Outline:

Dataset:

* If using Safari or Internet Explorer, right-click download link and select "Download Linked File"