Computerworld

Web 2.0 sites a thriving marketplace for malware

Hacker groups making a name for themselves in the thriving world of malware and computer crime

A wiry young man with his head shaved and wearing a tank top points a handgun straight at the camera in a disturbing YouTube video. The man wears what appears to be a wedding ring, and he gazes vacantly away from the viewer.

Though it's an odd image for an advertisement, this video isn't promoting your average company. It's from a not-so-underground Albanian hacker group that's out to make a name for themselves in the thriving world of malware and computer crime. Besides the shot of the gunman, the video showcases images of a computer screen, a table loaded with foreign currency, and plenty of links to the group's Web site.

Malware is big business, and groups like the Albanian hackers are trying to cash in, using the latest Web 2.0 tools: social networking profiles, blogs, and other publicly available media and Web pages. The digital desperados are moving more and more into wide-scale advertising and brand building on public sites and networks to grow their underground trade.

Not Illegal

But wait a minute — how can people get away with selling programs for breaking into your PC or stealing your identity? Simple: Selling malware is not directly illegal in the United States (or nearly anywhere else). Only using it is illegal.

As the malware underground grows, "it's moving away from technology towards business," says Zulfikar Ramzan, senior principal researcher with Symantec Security Response. While virus vendors are still quick to jump on the latest security vulnerability or technical trick, "the real innovations are more business and marketing," he explains.

On the face of it, public ads appear to violate the number-one rule of any illegal activity: Don't make yourself known. And it's true, says Ramzan, that "the more sophisticated guys are more quiet." But since the writers and sellers of Trojan horses and other malicious apps have no real fear of legal repercussions, they have no compelling reason to be shy.

Don Jackson, a senior research­er with managed security services provider SecureWorks, says the Albanian advertisers are a team of hackers who break into computers and networks. "They want to be used for criminal purposes," he says. So they advertise.

Another video ad, this one from a Turkish group, hypes a program used to break into PCs. The group's name and logo (a stylized alien face with the Turkish crescent-and-star emblem on its forehead) play front-and-center in the program's graphical interface, and the video's speaker walks the viewer through a 5-minute-plus tutorial on using the program. More than 17,000 people have watched it.

Beyond YouTube

YouTube is a popular venue for ads from malware makers, with videos for supposedly undetectable Trojan horses, "packers" that compress and obfuscate malware payloads, and even password stealers for breaking into Steam online game accounts. (Asked about the trend, a spokesperson says that YouTube doesn't control site content, but that it will investigate if viewers report videos as inappropriate.)

Advertisements from Internet bad guys don't stop with YouTube. According to Jackson, many online thugs maintain profiles on social networking sites and blogs to keep in touch with their business partners and customers. Many bot­net controllers, who sell time on their networks of bot-infected PCs to spammers and other crooks, keep blogs on the livejournal.com site, Jackson says.

Page Break

The crooks who use these profiles and blogs may not give themselves away with direct references to nefarious malware activities. But the sites provide a more distributed, harder-to-track way of keeping in touch than using one particular underground site. They may also offer a platform for spouting fascist ideology, as Jackson refers to one Russian underground figure known as 'lovinGOD,' or some other pseudo-philosophy that ties one or more of these groups together.

And the pages advertise the bad guy's contact info--an ICQ handle, say, or some other way to get in touch about buying or selling malware.

The profiles offer "the capability of hiding in plain sight," says Tom Bowers, senior security evangelist with antivirus-maker Kaspersky Lab. Thankfully, they're not entirely hidden. Bowers says he works with law enforcement professionals, who try to track the bad guys through social networks. But the crooks are watching the cops, too.

The researchers at the SpywareGuide Greynets Blog recently discovered that malware pushers, pedophiles, and other criminals on MySpace were using a trick to track their trackers. A few lines of Javascript code inserted on a profile meant that if you happened across that page, "you [were] automatically subscribed to that person's video channel." Meaning the profile owner got "a record of every single Myspace user that has visited [his] profile page." (MySpace says it's working on closing this hole.)

Limits of the Law

All these public ads and profiles can help law enforcement glean useful data for investigations. But since selling malware isn't illegal, they're unlikely to lead directly to prosecutions.

Of course, using malware is clearly illegal. And a Department of Justice spokesperson says it could charge a virus vendor with aiding and abetting, or conspiracy to commit a crime, if it busted someone else who used that purchased malware to infect a PC. But the prosecutors would have to prove the seller intended for the code to be used in criminal dealings, instead of, say, security research, which makes it a fair bit harder. The spokesperson said she couldn't find any instances of actual prosecutions of this type in her initial search of cases.

And that's just in the United States. In many parts of the world, bringing known phishers and malware lawbreakers to justice isn't exactly a priority.