The (Russian) Neutrino exploit kit was first described by the French researcher Kafeine (Malware don't need Coffee) almost exactly one year ago. "A new exploit kit is being advertised since yesterday on underground forum : Neutrino," he announced. Now it is for sale.
Yesterday, Softpedia reported, "The author of the Neutrino exploit kit has reportedly decided to sell his creation. The reason: he says he doesn’t have time to deal with customer support, accepting payments and the other activities that come with the territory." But is this the whole story?
After the arrest of Paunch in Russia, a new price list was advertised for Neutrino on Pastebin. It included (Google translation), "Rent a personal server for our foreign friends (not Russian speakers)... Price: $1 million a month." But now, according to Softpedia, that author is willing to sell the exploit kit for just $34,000.
"Security researcher Trojan7Sec has contacted the author of the exploit kit," notes the Softpedia report, "and learned that Neutrino brings him a monthly profit that ranges between $30,000 (€21,800) and $60,000 (€43,600)." That means that he is willing to sell his product for less than the income of a 'good' month – and on the surface, that doesn't sound likely.
But it could make sense, ESET senior research fellow David Harley toldInfosecurity: "customer support, financial administration etc. – is very likely to be at least part of it." Ironically, he explained, "it reflects a similar issue in the security industry: customer support is a major outlay for anti-malware vendors, which is why they don’t usually provide one-to-one support for free products." It's common, he added, for software developers to cash in on their products and move on to something new. "Of course, it would be naive to assume that a malware author is telling the whole truth about anything he does..."
Harley's hypothesis is supported by the developer's supposed sales message: "Reason for sale: Time. There are projects in other areas in the gray zone with a very high envelope."
Luis Corrons, technical director at PandaLabs, wonders if, following the arrest of Blackhole author Paunch, "he might not want to risk his freedom, and wants to sell and forget about this business because he feels law enforcement is getting close;" but added that might just be wishful thinking on his own part. More possible, he told Infosecurity, "This is a strategy to rip off law enforcement willing to pay for that kind of intel, and for the same price can feed them with fake data." An alternative motive, he suggested, "He is planning to sell his client list in pieces (making much more money than the $34,000 quoted)."
Michael Sutton, VP of security research at Zscaler, is another who thinks there is more to this than meets the eye – and also suspects the Paunch effect. "Neutrino is a relatively new entrant on the scene and not a major player, but according to the Neutrino developer, still netting a tidy profit. The numbers don't however add up," he toldInfosecurity. "Entrepreneurs do not generally sell a product at price ($34K), which is at or below total monthly profits ($30K-$60K). One wonders if the author is starting to feel the heat after the arrest of Paunch, the Blackhole Exploit kit author, by Russian authorities last October.”
Any potential buyer for the Neutrino exploit kit will need to hope that there is honor among thieves; but would be foolish to expect it.