Zero-Day Exploits in the Dark

Pierluigi Paganini
April 21, 2015 by
Pierluigi Paganini


Black markets deployed on anonymizing networks such as Tor and I2P offer all kinds of illegal products, including drugs and weapons. They represent a pillar of the criminal ecosystem, as these black markets are the privileged places to acquire illegal goods and services by preserving the anonymity of both sellers and buyers and making it difficult to track payment transactions operated through virtual currencies like Bitcoin.

The majority of people ignore that one of the most attractive goods in the underground market are zero-day exploits, malicious codes that could be used by hackers to exploit unknown vulnerabilities in any kind of software.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

The availability of zero-day exploits is a key element for a successful attack. The majority of state-sponsored attacks that go undetected for years rely on the exploitation of an unknown flaw in popular products on the market and SCADA systems.

Zero-day exploits: A precious commodity

Security experts have debated on several occasions the importance of the zero-day exploitation to design dangerous software that could target any kind of application. Zero-day exploits are among the most important components of any cyber weapons, and for this reason they are always present in the cyber arsenals of governments.

Zero-day exploits could be used by threat actors for sabotage or for cyber espionage purposes, or they could be used to hit a specific category of software (i.e. mobile OSs for surveillance, SCADA application within a critical infrastructure). In some cases, security experts have discovered large scale operations infecting thousands of machines by exploiting zero-day vulnerabilities in common applications (e.g. Java platform, Adobe software).

A few days ago, for example, security experts at FireEye detected a new highly targeted attack run by the APT28 hacking crew exploiting two zero-day flaws to compromise an "international government entity." In this case, the APT28 took advantage of zero-day vulnerabilities in Adobe Flash software (CVE-2015-3043) and a Windows operating system (CVE-2015-1701).

Zero-day exploits are commodities in the underground economy. Governments are the primary buyers in the growing zero-day market. Governments aren't the only buyers however, exploit kits including zero-day are also acquired by non-government actors. In 2013 it was estimated that the market was able to provide 85 exploits per day, a concerning number for the security industry, and the situation today could be worse.

It has been estimated that every year, zero-day hunters develop a combined 100 exploits, resulting in 85 privately known exploits, and this estimation does not include the data related to independent groups of hackers, whose activities are little known.

Zero-day hunters are independent hackers or security firms that analyze every kind of software searching for a vulnerability. Then this knowledge is offered in black marketplaces to the highest bidder, no matter if it is a private company that will use it against a competitor or a government that wants to use it to target the critical infrastructure of an adversary.

A study conducted by the experts at NSS Labs in 2013 titled "The Known Unknowns" reported that every day during a period of observation lasting three years, high-paying buyers had access to at least 60 vulnerabilities targeting common software produced by Adobe, Apple, Microsoft and Oracle.

"NSS Labs has analyzed ten years of data from two major vulnerability purchase programs, and the results reveal that on any given day over the past three years, privileged groups have had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe. Further, it has been found that these vulnerabilities remain private for an average of 151 days. These numbers are considered a minimum estimate of the 'known unknowns', as it is unlikely that cyber criminals, brokers, or government agencies will ever share data about their operations.

Specialized companies are offering zero-day vulnerabilities for subscription fees that are well within the budget of. A determined attacker (for example, 25 zero-days per year for USD $2.5 million); this has broken the monopoly that nation states historically have held regarding ownership of the latest cyber weapon technology. Jointly, half a dozen boutique exploit providers have the capacity to offer more than 100 exploits per year."

On the black market, a zero-day exploit for a Windows OS sells for up to $250,000 according to BusinessWeek, a good incentive for hackers to focus their efforts in the discovery of this category of vulnerabilities. The price could increase in a significant way if the bugs affect critical systems and the buyer is a government that intends to use it for Information Warfare.

What is very concerning is that in many cases, the professionals who discover a zero-day, in order to maximize gains, offer their knowledge to hostile governments who use it also to persecute dissidents or to attack adversary states.

The zero-day market follows its own rules, the commodities are highly perishable, the transactions are instantaneous, and the agreement between buyers and sellers is critical.

"According to a recent article in The New York Times, firms such as VUPEN (France), ReVuln (Malta), Netragard, Endgame Systems, and Exodus Intelligence (US) advertise that they sell knowledge of security vulnerabilities for cyber espionage. The average price lies between USD $40,000 and USD $160,000. Although some firms restrict their clientele, either based on country of origin or on decisions to sell to specific governments only, the ability to bypass this restriction through proxies seems entirely possible for determinedcyber criminals. Based on service brochures and public reports, these providers can deliver at least 100 exclusive exploits per year," states the report.

In particular, the US contractor Endgame Systems reportedly offers customers 25 exploits a year for $2.5 million.

The uncontrolled and unregulated market of zero-day exploits pose a real threat for any industry. For this reason, security experts and government agencies constantly monitor its evolution.

The zero-day market in the Deep Web: "TheRealDeal" marketplace

Zero-day exploits have been available in several underground Deep Web marketplaces for a long time, and it is not difficult to find malicious codes and exploit kits in different black markets or hacking forums. Recently a new black market dubbed TheRealDeal has appeared in the Deep Web. The platform was designed to provide both sellers and buyers a privileged environment for the commercialization of precious goods.

Figure - TheRealDeal Marketplace

TheRealDeal (http://trdealmgn4uvm42g.onion) service appeared last month and it is focused on the commercialization of zero-day exploits. The singular marketplace is hosted on the popular Tor network to protect the anonymity of the actors involved in the sale of the precious commodity.

The market offers zero-day exploits related to still unknown flaws and one-day exploits that have been already published, but are modified to be undetectable by defensive software.

Figure - One-day private exploits

The operators also offer one-day private exploits with known CVEs, but for which the code was never released. They also anticipated that a seller specialized in exploits for the GSM platform will soon offer a listing for some very interesting hardware.

Who is behind TheRealDeal?

The 'deepdotweb' website published an interview with one of the administrators of the black market who explained that the project is operated by four cyber experts with significant experience dealing in the "clearnet when it comes to zero-day exploit code, databases and so on."

The administrator explained that the greatest risk in commercializing zero-day exploits is that in the majority of cases, the code does not work or simply the sellers are scammers.

Another factor that convicted the administrators to launch the TheRealDeal zero-day marketplace is the consideration that the places where it is possible to find the precious goods are not always easy to reach. There are some IRC servers that are not easy to find or that request an invitation. Differently, TheRealDeal wants to be an 'open-market' focused on zero-days.

The four experts decided to launch the hidden service to create a marketplace where people can trade zero-day exploits without becoming a victim of fraud and while staying in total anonymity.

"We started off by using BitWasp, fully aware of its history and flaws, but since we have years of hands-on experience in the security industry and not much in web-design we decided it would be a good platform since we can make our own security assessments and patches while the whole multi-sig seems to work perfect. We also wanted to avoid involving other people in the project for obvious reasons and that was another reason why not to hire a web designer etc… although we might hire one off the darknet soon, just to improve the UI a little," said one of the administrators.

Below is the list of products available on the TheRealDeal marketplace:

0-Day exploits (4)

  • FUD Exploits (4)
  • 1Day Private Exploits (1)

Information (5)

  • Money (36)
  • Source Code (4)
  • Spam (3)
  • Accounts (7)
  • Cards

Other Tools (3)

  • RATs (1)
  • Hardware (2)


  • Misc (6)
  • Pharmacy (12)
  • Cannabis (5)
  • LSD (1)
  • Shrooms (2)
  • MDMA (6)
  • Speed (5)

Services (8)


  • Hot (1)
  • Cold (6)
  • CNC

Analyzing the product listing of TheRealDeal Market, it is possible to note the availability of zero-day exploits, which are source codes that could be used by hackers in cyber attacks, and of course any kind of hacking tool. The list is still short because the market is still in an embryonic stage, but the policy of its directors is clear.

"Welcome…We originally opened this market in order to be a 'code market' — where rare information and code can be obtained," a message from the website's anonymous administrator reads. "Completely avoid the scam/scum and enjoy the real code, real information and real products."

Among the products there is a new method of hacking Apple iCloud accounts and exploit kits that could be used to compromise WordPress-based websites and both mobile and desktop OSs (i.e. Android and Windows).

The price tag for the iCloud hack is $17,000, and as explained by the seller, it is possible to compromise any account. The buyer could pay in Bitcoin to make their identification difficult.

"Any account can be accessed with a malicious request from a proxy account," reads the description of the hack available on TheRealDeal marketplace. "Please arrange a demonstration using my service listing to hack an account of your choice."

Figure – Zero-day exploits

The listing also includes an Internet Explorer attack that is offered for $8,000 in Bitcoin, as reported by Wired in a blog post:

"Others include a technique to hack WordPress' multisite configuration, an exploit against Android's Webview stock browser, and an Internet Explorer attack that claims to work on Windows XP, Windows Vista and Windows 7, available for around $8,000 in bitcoin … Found 2 months ago by fuzzing," the seller writes, referring to an automated method of testing a program against random samples of junk data to see when it crashes. "0day but might be exposed, can't really tell without risking a lot of money," the seller adds. "Willing to show a demo via the usual ways, message me but don't waste my time!"

The list of products has been recently updated. It also includes an exploit for the MS15-034 Microsoft IIS Remote Code Execution vulnerability, a flaw that is being actively exploited in the wild against Windows 7, 8, and 8.1, Windows Server 2008 R2, 2012, and 2012 R2.

TheRealDeal market also offers other products very common in the criminal ecosystem, including drugs, weapons, and Remote Access Trojan (RAT).

The operators also created a specific "services" category with the intent to attract high-profile black hats offering their hacking services (i.e. Email account takeover, DDoS services, data theft, hacking campaign). The Information category was created for sellers that offer any kind of information, documents, databases, secret keys, and similar products.

TheRealDeal doesn't implement a real escrow model; instead it adopts a multi-signature model to make any financial transaction effective. Basically, the buyer, the seller and the administrators control the amount of Bitcoin to transfer together, and any transaction needs the signature of two out of the three parties before funds are transferred. The administrators decided to implement multisig transactions because their marketplace is very young and without reputation. This means that people has no incentive to deposit a sum of money for something that they are not able to verify.

It is curious to note that the marketplace also offers drugs due to high demand, but according to the administrators they might consider removing them in the future.

There is also a "services" category – anything can go there, but we are hoping for some high quality blackhats to come forward and offer their services, anything from obtaining access to an email and getting a certain document and up to long term campaigns. The hardware category is for toys like fake cellular base stations and other physical 'hacking' tools. The information category is for any kind of information, documents, databases, secret keys, etc.

In the following table are the principal product categories offered in the market and their prices.

0-Day exploits

Apple id / iCloud remote exploit USD 17025,52

Internet Explorer <= 11 USD 7840,70

Android WebView 0day RCE USD 8176,73

Wordpress MU RCE USD 1008,09

Category: FUD Exploits

FUD .js download and execute USD 291,23

Adobe Flash < (CVE-2015-0313) USD 560,05

Adobe Flash < (CVE-2015-0311) USD 560,05

Category: 1Day Private Exploits

MS15-034 Microsoft IIS Remote USD 42313,18

Category: Hardware

A5/1 Encryption Rainbow Tables USD 67,21

Category: Source Code

Banking malware source code USD 2,11

Alina POS malware full source code USD 0,92

Exploit Kits Source Code USD 1,82

"Start your own maket" code and server USD 7959,43

I'll keep you updated on the evolution of the TheRealDeal marketplace in the next weeks.






FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.