Introduction

Computers and computer systems are becoming ubiquitous, managing everything from government databases, to grocery transactions, to activity on our own phones. However, these systems don’t come without their vulnerabilities, and their exploitation has never been in such high demand. So where does malicious software—the code designed to exploit these vulnerabilities—come from?

Malicious software is bought, sold, and traded. These transactions take place on websites which could be mistaken for ebay clones, over encrypted email between former colleagues, and even when vendors publicly offer cash for flaws in their software. The malware markets are home to both defensive groups, like software vendors, and offensive groups, like criminal networks and other attackers. Companies are involved with building and selling malicious code, from single exploits all the way up to integrated surveillance packages. Underneath all of this is a global network of companies, criminal groups, individuals, and even governments that build, buy, and sell code.

Key Definitions:

Malware: Software used to manipulate a computer system by a malicious third party

Vulnerability: A software flaw or feature subject to manipulation

Exploit: Part of malware, a small software program written to take advantage of a vulnerability

Exploit kit: A collection of software exploits used to deliver malicious payloads. Often rented as a service.

Propagation method: Part of malware, a means to deploy malware from one computer to another

Payload: Part of malware, code designed to achieve a specific outcome, like stealing passwords

Bug bounty program: Money offered by software vendors in exchange for information about vulnerabilities in their products

Offensive Actors: Individuals or groups working to compromise and manipulate computer systems and networks, e.g. the Russian Business network, a criminal organization

Defensive Actors: Individuals and groups working to prevent the compromise and manipulation of computer systems and networks, e.g. US-CERT, a government agency that helps coordinate vulnerability information and response to major incidents