Pssst! Wanna Buy a Dangerous Security Hack?

A cyber worm experts believe was designed to knock out Iran's nuclear facilities has the security industry seeing red -- and rightly so. Replicating the virus would be easy, say experts, thanks to an easily accessible black market for destructive programming code.

Databases of such code that exploits security flaws are common on the Internet. Some are run by businesses as a research tool, such as's Zero Day Tracker, intended to catalog the severity of vulnerabilities and promote awareness. "Hacktivists" gather on others, such as inj3ct0r. But there's another source of these hacks, one far more malicious.

Jay Bavisi, president of security firm EC-Council, told that cybercriminals who intend to write similar worms can buy code on an open black market that exploits security flaws not listed in those databases -- code snippets that are retailed to the highest bidder.

"It's like eBay for hackers," Bavisi told

Most security experts believes a country released the Stuxnet worm to attack Iran's Bushehr nuclear plant, be it China, Israel, Russia or even the U.S. But whoever they were, the worm's author could have bought the code that made it function on the black market, said Gerry Egan, director of Symantec's Security Response team.

"Money has been spent on these [worms], whether by directly purchasing them or hiring people with the necessary skills" to poke their own holes in the nuclear plant's computing infrastructure, Egan said. In fact, Stuxnet used several system flaws to do its dirty work, called zero-day exploits because they take advantage of current flaws functioning on "day zero" -- meaning right now.

"This attack used four different zero-day vulnerabilities. Is that a lot? Well, yes it is," he told, explaining that there were just 12 of this type of vulnerabilities patched in 2009.

A country may have been behind Stuxnet, but Bavisi is concerned that well-funded terrorist organizations have just as much access to this type of code behind the security breach as nations do, thanks to these black markets.

"There are terrorist organizations that are extremely well funded and know how to hire hackers like this," he pointed out. "And if you go to the underground community, you can buy these exploits."

Just who mans these black markets, these eBays for illegal code? "Some very sophisticated hackers do this, they write this code, they find these vulnerabilities" Bavisi told "It's a full time job," Bavisi added, noting that depending on precisely how a particular security hole can be exploit, the price of the vulnerability gets higher. If there are a lot of buyers, the hack sells for a higher price. Much higher.

"It can be as cheap as $1,000, it can be as expensive as a million. It depends on what it does and who's buying," Bavisi said. And this lucrative field is only growing, noted Symantec's Egan, describing his company's efforts to patch security holes.

"A few years ago, we were writing 5-10 a week," he told These days, the company sees "millions of new threat variants per week."

Microsoft struggles to keep pace with the security holes hackers identify in its Windows operating system, consistently releasing patches for such security threats on Tuesdays -- a day security experts widely call "patch Tuesday." But the same consistency that allows IT professionals to anticipate updates makes it easy for cybercriminals to work around them.

"Every Tuesday Microsoft releases patches. But every Wednesday its business as usual for hackers. They reverse engineer the malware. And they send it out there," Bavisi told

Stuxnet used four zero-day attack, making it an especially complex piece of code, but there's another security problem, Bavisi noted: people.

"They are trying to go after the human element," he said, a technique pioneered decades ago by proto-hacker Kevin Mitnick. Security experts call it social engineering, and it played a crucial role in the Stuxnet attack too.

Symantec's Egan explained that "it can be as simple as dropping a few USB keys in the parking lot outside strategic facilities and relying on people's natural curiosity" to get a virus installed. And the availability of black-market, sophisticated hacks -- and the continued reliance on tried-and-true social engineering -- make a dangerous combination, Bavisi said.

"This is just the beginning," he warned. "There's a lot more coming our way."'s SciTech section is on Twitter! Follow us @fxnscitech.