Ever wonder how the dangerous programs that attack your PC are passed between unscrupulous minds? PC Advisor uncovers malware makers' business secrets.
On a normal-looking web forum, normal-sounding users are reviewing software products. "The best program in its class I have ever seen!" gushes one reviewer. "One of the most powerful products on the market!" adds a second.
They're familiar lines, used countless times by legitimate customers to describe legitimate products.
Until a single phrase gives the game away: "Works well – to find a new attacker."
These are satisfied customers of black-market malware. The program they are describing is used – successfully, it appears – to locate unprotected PCs, which then form the launchpad for malware, spam or DDoS (distributed denial of service) attacks on others.
Malware makers are increasingly employing conventional business practices to sell their work, with underground forums serving as product-testing grounds. In this way buyers can determine whether an attack program can do what its seller claims.
The illicit entrepreneurs even offer tech support and free updates for their malicious creations. Some sites feature escrow services for purchases made through their site – the forum holds on to the transaction money as a neutral party until both buyer and seller approve the deal.
eBay for malware
Thomas Holt, assistant professor at the University of North Carolina's department of criminal justice, has spent the past year sifting through black-market sites and collecting data on internet attacks with his team.
At the recent DefCon hacker conference in Las Vegas, he explained how today's malware-peddling web forums use these buyer-friendly tactics to draw shoppers to their site.
For obvious reasons, malware sites are places where anonymity is prized. Yet, paradoxically, individual sellers become well-known for the quality of their work – and reputations are jealously guarded. The pseudonyms used by malware writers work like eBay account names, giving buyers an idea of what they're getting for their money.
A new seller is an unknown quantity, Holt explains. As he garners positive user reviews, his reputation improves until he becomes a 'verified seller'. Conversely, if he's out to swindle the swindlers, he'll become labelled as an untrustworthy 'ripper' – someone who rips people off.
These reputations can persist even if a particular forum is shut down by authorities. Holt discovered one database that maintains a list of known scammers and even distinguishes public, unverified ripper complaints from vetted private complaints from registered members.
Malware lab tests
And this is just one example of modern marketplace practices in the underground. Some malware sites also mimic legitimate sites' product lab tests.
The PC Advisor Test Centre, for instance, evaluates products using a variety of criteria – everything from processor speed and application reliability to digital camera lens quality. Some malware forums offer the same kind of testing but, instead of benchmarking a PC's speed, they'll test whether a given Trojan can conduct the type of attack claimed by its author, or whether it communicates with other infected PCs in the promised manner. Holt found some sites will even spot-check stolen credit card numbers to ensure they're usable accounts.
Dirty tricks for hire
So what can a would-be internet criminal buy on these sites? For $400 (about £200) you can purchase 'Illusion DDoS Bot'. Maker Cyber Underground Project claims this is capable of launching a variety of DDoS attacks that can overwhelm websites and servers, with control managed through an IRC (internet relay chat) channel or a website.
On a budget? Just $30 (£15) will get you a customised Pinch data-stealing Trojan that its seller guarantees will not be detected by antivirus applications when it's delivered. Technical support is included in the deal.
If you need services, hire 'razorsasa' to churn out millions of pump-and-dump stock scam messages for $150 (£75) per million. And if you're not above using dirty tricks to beat an online competitor, a full day's worth of DDoS attacks costs just $100 (£50).
Those in the 'carding' business – that's where you rake in illicit earnings using stolen credit card numbers and financial account information – can use ID theft malware to pick up data dumps. Prices start at 20 cents per megabyte.
Whatever the purchase, the buyer typically contacts the vendor privately using an ICQ number, email or, in some cases, a private message sent through the forum. Money generally changes hands through untraceable online services such as e-gold or WebMoney.