Not Only Drugs: New Market Focuses On Code, 0Days & Exploits

6 minute read

Posted by: DeepDotWeb

April 8, 2015

We are happy to introduce yet another market – not only for drugs and digital items such as CC’s but a market designed specifically for the sale of Code, 0Days & Exploits, the market name is “TheRealDeal”.

And the market Url is: http://trdealmgn4uvm42g.onion  (listed in our list)

We have conducted a short interview with the market admin:

What can you tell us about yourself / your market?

Ok, basically we consist of 4 partners who have a lot of experience in infosec. We have a lot of experience dealing in the clearnet when it comes to 0day exploit code, databases and so on .. But the problem is that 90% of these dealers are scammers. People with a lot of experience can always do their best to determine if what they are buying is real based on technical information and demos but some of these ‘vendors’ are very clever and very sneaky. We decided it would be much better if there was a place where people can trade such pieces of information and code combined with a system that will prevent fraud and also provide high anonymity.

We started off by using BitWasp, fully aware of its history and flaws, but since we have years of hands-on experience in the security industry and not much in web-design we decided it would be a good platform since we can make our own security assessments and patches while the whole multi-sig seems to work perfect. We also wanted to avoid involving other people in the project for obvious reasons and that was another reason why not to hire a web designer etc… although we might hire one off the darknet soon, just to improve the UI a little.

On our market you can currently find 0day exploits, that have no cve and have never been disclosed before, 1day fud exploits – exploits that have been published but modified to be undetectable by any anti-virus, 1day private exploits – exploits that have known CVEs but code was never released for them and also Infomation such as databases and remote admin tools. One of our vendors who messes around with GSM a lot is also going to post a listing for some very interesting hardware soon.

And why not use the digital items section on one of the existing markets like Agora where such items are being sold anyway?

Never seen 0day exploit code on any of these markets. We actually tried selling such information and codes ourselves at some point but it seems that all people want on those markets is credit cards and tutorials on how to make money with credit cards.

There are some IRC servers that are not easy to find or be invited to, where you can trade such items, but they are very hard to get to and we wanted to take a more ‘open-market’ approach

IRC servers on the darknet i mean..

Are offering Multisig transactions?

Yes, at this point in time we are offering only multisig transactions -We figured that you can’t start a market with zero reputation and expect people to just deposit into a live wallet they have absolutely no control of, that sort of idea sounds crazy to us. We are also offering FE for vendors who join and have good reputation on other markets by the way.

We heard few concerns about the usage of JS on your market, can you comment on that?

I understand that the people concerned about JavaScript are probably afraid of two things – One is cross site request forgery, where a link can be dropped via a message and once entered it will force the browser to take actions on another site (for example, as seen on other markets – “click” on release escrow on behalf of the user), we address this by using techniques that block cross site scripting completely.

I think the main concern regarding JS is to increase the attack surface against users by enabling JS exploits from the type we have seen on “freedom hosting”

The other concern people may have is exploitation .. but to be honest if the FBI has a zero day exploit that involves javascript, they will need to inject it into the site or send the user a message. The thing is that exploitation of web browsers is not limited to JavaScript .. they previously exploited a flaw that involves javascript but there are many exploits that can target a browser and heap spraying of the memory can be achieved even without javascript.

Besides that, we are currently working on moving everything that involves javascript to server side/php, but for now we are going to use javascript until the coding is complete and testing is over.

Will you be offering other products on the market or just code / 0days / expoits?

We recently added drugs due to the high demand, traditional for darknet markets, but we might consider removing this, we will have to see in the future. There is also a “services” category – anything can go there but we are hoping for some high quality blackhats to come forward and offer their services .. so anything from obtaining access to an email and getting a certain document and up to long term campaigns. Hardware category – for toys like fake cellular base stations and other physical ‘hacking’ tools. Information category for any kind of information, documents, databases, secret keys, etc.. We are also open to suggestions from our vendors :)

What is the vendor bond on the market?

We are currently offering free vendor accounts for 24 hours or so… we would love to see some new listings and inactive accounts will have to be removed after a certain period of time. After that the fee will start at somewhere around 0.2-0.5 BTC until the market is stable and earned the right to ask for more.

Anything else you want to add?

Well I think its worth mentioning again that we are not keeping any hot-wallets, all transactions are based on multi-sig and the user interface is quite easy. We require only 1 confirmation from the network and once the transaction is signed (just a click of a button) by both side – the escrow address releases the coins almost immediately.

I think people should bare in mind that JS bugs have been patched in recent releases of FireFox and exploits can target many parts of a browser even without JS. JS doesn’t expose people, Exploits do :)

When it comes to security, we are experts. I cannot say much, but I will tell you that a lot of changes have been made to the smarty lib, the core and randomness of keys. Currently, besides patching up what we found during our assessment, we are also at the final stages of configuring and deploying a WAF and IPS – This is something we are very good at. Our servers consist of full disk encryption and will be worthless in case of seizure, and all the hashing functions have been modified and hardened. You might think I said too much on this, but there are a lot more cards up our sleeves ;)

Thanks for the interview!

Thanks a lot for the opportunity !  And feel free to join and contact us at: http://trdealmgn4uvm42g.onion

Updated: 2015-04-08