A new study from antivirus vendor Trend Micro found that cybercriminal forums continue to advertise exploits for a vulnerability years after a patch has been released, with sellers adjusting prices to market demand and bundling multiple old exploits together to maximize profits.
The study, which spanned nearly two years and numerous illicit marketplaces, found that nearly half of the software exploits requested on forums were for vulnerabilities that were at least three years old. The demand for exploits is also catered to the popularity of software: Microsoft products accounted for approximately 47% of the exploits that forum users requested, according to Trend Micro.
While zero-day software flaws, or those unknown to the vendor, can fetch tens of thousands of dollars on the forums, other hacking tools are cheap or even free. On an English-language forum, Trend Micro found JavaScript exploits for $40 and Microsoft Word exploits for $100.
“Patching yesterday’s popular vulnerability can be more important than today’s critical one,” Mayra Rosario Fuentes, senior threat researcher at Trend Micro argued Monday at a presentation at the RSA Conference. She was previewing the research, which Trend Micro will release in July.
What gets sold on the exploits market. Source: Trend Micro
Most-requested exploits. Source: Trend Micro
