Defcon The sale of Trojans, phishing kits and other types of malware thrives in a growing marketplace that resembles many of the more legitimate businesses that have set up shop online over the past decade.
With a wealth of online bazaars, 24-by-7 support and the ability for other buyers to weigh in on the quality of the products, this malware economy continues to make it easier to break into the shady world of computer crime.
Thomas Holt, a professor of criminal justice at the University of North Carolina at Charlotte, presented data collected by his honey net team over the past 16 months at the Defcon security conference in Las Vegas. Adopting user-feedback ratings, independent reviews and discounts for bulk purchases, the malware business models often appear to mimic those of eBay, Yelp or Ronco.
"It's especially important thinking about stolen data, when there's time sensitive materials involved," Holt said during his presentation. "You can basically build a nice arsenal of attack tools by going to these sites."
Holt's research was gathered with the help of a team of grad students who monitor about 30 forums on IRC and the web. His discovery of a bubbling underground economy that mimics the public web isn't exactly new. But it does bring a fresh infusion of data that suggests the economy is maturing and expanding.
Any boob can jump on an online forum and claim to have a flaw-free Trojan, so many online marketplaces adopt buyer-feedback ratings. Many sites compile user comments to generate labels that get attached to each forum participant. A "ripper," for example, describes fraudulent sellers out to rip off buyers while a "verified seller" designates a user known to actually deliver products that work as advertised.
There are also sites that provide independent reviews that sellers with positive feedback can link to when advertising their wares.
"Thanks you for a FreeJoiner," reads one syntax challenged user review concerning a malware tool by that name. "Is the best program in its class that I have ever seen, the result of these use was not long in coming, weaknesses and suggestions on the work simply no!"
The sites unabashedly promote the virtues of the malware tools advertised. An ad for the Suicide DDoS bot, for example, promises the malware can be controlled via web access or IRC, injects code into trusted processes, and is not detected by antivirus programs. An ad for the PG Universal Grabber Trojan promises standard updates, bug fixes and optimization as part of the $700 purchase.
It would seem that buying naughty code is as easy as buying Britney's undies on eBay. ®