In my recent article about the shrinking patch-window, we already talked about the need for zero-day anomaly detection in networks. There is less and less time available for patching any new vulnerabilities, since it takes malware authors now only around two days to release a new worm, after an exploit has been published. Clearly, this trend is only going to get worse, thereby making signature-based systems even more vulnerable.
Yesterday then, the Sydney Morning Herald published an article, in which it is also claimed that zero-day threats are becoming more common. Even more interesting is the article's brief discussion about the increasingly common practice of software vendors to offer bounties for newly discovered vulnerabilities. The idea is that if someone finds a vulnerability in a piece of software they are more likely to contact the vendor if there is a chance to get some money for it, instead of just posting it on the Internet. That way, the vulnerability may be fixed before anyone else, including worm authors, will find out about it.
However, the article points out that if the offered bounty is not satisfactory to the discoverer of the vulnerability, they may just find someone else who is willing to pay more. The implication is, of course, that we may witness the beginning of a large-scale black-market for newly discovered vulnerabilities.
We all know that by now much of the malware that we are inundated with is written for financial gain: Spam zombies, DDoS zombies for extortion, botnets for rent, phishing, information gathering, etc. Obviously, there is money to be made. Therefore, it is not at all far-fetched to think that the same individuals who make money by renting out or using botnets would be willing to pay for a newly discovered vulnerability. After all, such a vulnerability would allow them to gather even more zombies through the release of a new worm.
Therefore, we may be faced with the fact that now a new line of individuals can benefit from illegitimate activities on the Internet: Computer experts who find vulnerabilities for a living, and sell them off to the highest bidder. It seems to me that the business of using, writing and enabling malware draws wider and wider circles.
Obviously, for the operators of mission critical networks, zero-day anomaly detection is now needed more than ever, because things only seem to take turns for the worse.