If you have a spare $90K and want to exercise your nefarious hacker alter-ego, there is a new zero-day vulnerability in the dark web store just waiting for your payment – in Bitcoin, of course.

Trustwave has just discovered what could be a significant Windows zero-day vulnerability that is going for US$90,000 on the underground cybercrime market. Its SpiderLabs security researchers found a post from a cybercriminal on underground forums claiming to have this vulnerability which could affect almost all Windows machines on the planet.

If the cybercriminal’s claims are true, the local privilege escalation (LPE) vulnerability exists in all versions of Windows starting from Windows 2000, potentially impacting over 1.5 billion Windows users.

If exploited, the vulnerability allows attackers to upgrade any Windows user-level account to an administrator account, giving them access to install malicious software, gain access to other machines, change user settings and an array of other potentially damaging acts.

The dark web is the principal place of business for hacker types. Trustwave says it has seen the business model change too. It has seen exponential growth in the underground economy. Criminals are organising their efforts online on a scale it has not seen before. Capitalising on the anonymity of private forums, cryptocurrency, and anonymous networks, cyber criminals have evolved their techniques and tactics tremendously.

“We've seen small malware campaigns become malware-as-a-service where malware can equal instant revenue through ransomware. Single 'drive-by' malicious websites have become distributed exploit kits.” Crime as a service – CaaS.

This zero-day exploit offering is a little different. “A zero-day being offered for sale stood out among the other offerings in an underground market for Russian-speaking cybercriminals. This specific forum serves as a collaboration platform where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites, or even rent a whole botnet for any purpose.

"However, finding a zero-day listed in between these fairly common offerings is an anomaly. It goes to show that zero-days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed.”

Trustwave sums it up. “All software has bugs. This is the base assumption of any person who has ever worked with code, security professional or developer. Trustwave SpiderLabs has worked with Microsoft for many years, and we know first-hand the amazing lengths Microsoft goes to prevent zero-days, from embracing independent research and bug bounty programs to establishing the MAPP program with transparency into their patching process. Unfortunately, it's occasionally the case where criminals find those bugs before the 'good guys'."