The Black Market Code Industry

EnlargePhoto Illustration by Olugbenro Ogunsemore

magazine/127/the-email-trail.html http://images.fastcompany.com/magazine/127/hacker.gif

---

Related Content

video

Is Your Smartphone Possessed?

video

Hacking the iPhone

related article

The Email Trail

infographic

Infographic: The Hacker Economy

Juergen Marester, a 24-year-old French network consultant, needed seed capital to start his own computer-security company. So he turned to his off-hours hobby -- black-hat hacking -- and did what a growing number of hackers are doing: selling "0days" (pronounced "oh-days" or "zero days," it generally refers to unknown, or zero-hour, software threats). These are recipes and code for penetrating the software run by governments, corporations, and private citizens. When properly deployed, 0days can result in minor disruptions such as a Web site's temporary paralysis. At their extreme, they grant an attacker total control over a network. 

In August 2007, Marester announced on a popular computer-security forum that he had 0days for Linux, HP-UX (the computer maker's popular Unix database software), Microsoft Windows, and Apache. "Please let me message by mail if you are interested," he typed. By mid-September, he also offered 0days for SAP, Mozilla Firefox, Microsoft's Office 2003 and 2007, and Internet Explorer. "For any interest, please mail me to this adress [sic]. Good bye and have a good day."

The posts weren't unusual for this forum, except, perhaps, for their politeness. They provide a window into a thriving black market for hackerware, where computer-security firms, mobsters, corporate spies, cybercrime rings, and government agents rub shoulders with code jockeys looking to score quick bucks. Any company or government entity running popular programs, such as the ones on Marester's list of targeted software, is at risk, and governments -- both allies and enemies of the United States -- are among the biggest buyers. According to the Electronic Frontier Foundation, as a general rule, it isn't illegal to offer vulnerabilities (the holes in software) and exploits (the code that does the actual penetration) for sale. What's different about Marester's case, as I would learn, is that the seller worked for one of the companies whose code he promised to compromise.

I first learned of Marester from an American computer-security consultant, who had been taken aback by the sheer number of 0days -- some of them very powerful -- that Marester was hawking. In the interest of protecting his own clients, the security professional and some colleagues posed as buyers and, over the course of four months, won the hacker's confidence. Eventually, Marester revealed his true identity in order to collect his bounty. The security pros, who requested anonymity for this article, turned over their evidence to me, including an extensive email trail.

To better understand the black-market trade in hacker code, I contacted several well-placed sources in information security, government, and law enforcement, most of whom wouldn't speak on the record. A few provided access to black-hat sellers claiming to reap serious money from peddling vulnerabilities and exploits. Over time, I have been able to sketch a somewhat murky picture and was surprised to learn that the buyer who pays the most -- by far -- for black-market code is the United States government.