Ever wonder how the dangerous programs that attack your PC are passed between unscrupulous minds? PC Advisor uncovers malware makers' business secrets.
On a normal-looking web forum, normal-sounding users are reviewing software products. "The best program in its class I have ever seen!" gushes one reviewer. "One of the most powerful products on the market!" adds a second.
They're familiar lines, used countless times by legitimate customers to describe legitimate products.
Until a single phrase gives the game away: "Works well – to find a new attacker."
These are satisfied customers of black-market malware. The program they are describing is used – successfully, it appears – to locate unprotected PCs, which then form the launchpad for malware, spam or DDoS (distributed denial of service) attacks on others.
Malware makers are increasingly employing conventional business practices to sell their work, with underground forums serving as product-testing grounds. In this way buyers can determine whether an attack program can do what its seller claims.
The illicit entrepreneurs even offer tech support and free updates for their malicious creations. Some sites feature escrow services for purchases made through their site – the forum holds on to the transaction money as a neutral party until both buyer and seller approve the deal.
eBay for malware
Thomas Holt, assistant professor at the University of North Carolina's department of criminal justice, has spent the past year sifting through black-market sites and collecting data on internet attacks with his team.
At the recent DefCon hacker conference in Las Vegas, he explained how today's malware-peddling web forums use these buyer-friendly tactics to draw shoppers to their site.
For obvious reasons, malware sites are places where anonymity is prized. Yet, paradoxically, individual sellers become well-known for the quality of their work – and reputations are jealously guarded. The pseudonyms used by malware writers work like eBay account names, giving buyers an idea of what they're getting for their money.
A new seller is an unknown quantity, Holt explains. As he garners positive user reviews, his reputation improves until he becomes a 'verified seller'. Conversely, if he's out to swindle the swindlers, he'll become labelled as an untrustworthy 'ripper' – someone who rips people off.
These reputations can persist even if a particular forum is shut down by authorities. Holt discovered one database that maintains a list of known scammers and even distinguishes public, unverified ripper complaints from vetted private complaints from registered members.
Malware lab tests
And this is just one example of modern marketplace practices in the underground. Some malware sites also mimic legitimate sites' product lab tests.
The PC Advisor Test Centre, for instance, evaluates products using a variety of criteria – everything from processor speed and application reliability to digital camera lens quality. Some malware forums offer the same kind of testing but, instead of benchmarking a PC's speed, they'll test whether a given Trojan can conduct the type of attack claimed by its author, or whether it communicates with other infected PCs in the promised manner. Holt found some sites will even spot-check stolen credit card numbers to ensure they're usable accounts.
Dirty tricks for hire
So what can a would-be internet criminal buy on these sites? For $400 (about £200) you can purchase 'Illusion DDoS Bot'. Maker Cyber Underground Project claims this is capable of launching a variety of DDoS attacks that can overwhelm websites and servers, with control managed through an IRC (internet relay chat) channel or a website.
On a budget? Just $30 (£15) will get you a customised Pinch data-stealing Trojan that its seller guarantees will not be detected by antivirus applications when it's delivered. Technical support is included in the deal.
If you need services, hire 'razorsasa' to churn out millions of pump-and-dump stock scam messages for $150 (£75) per million. And if you're not above using dirty tricks to beat an online competitor, a full day's worth of DDoS attacks costs just $100 (£50).
Those in the 'carding' business – that's where you rake in illicit earnings using stolen credit card numbers and financial account information – can use ID theft malware to pick up data dumps. Prices start at 20 cents per megabyte.
Whatever the purchase, the buyer typically contacts the vendor privately using an ICQ number, email or, in some cases, a private message sent through the forum. Money generally changes hands through untraceable online services such as e-gold or WebMoney.
Google points the way
It might seem that you'd have to be in the know to find the malware black market. But when Holt began his hunt for these sites, he didn't try for tips from people with dodgy connections. He did what we all do: he Googled.
After wading through a few pages of search results for terms such as bot, sale, dump and Trojan, Holt found some junk sites that cut-and-pasted postings from other locations in the hope of catching unwary buyers – rippers, in other words. But those ripper sites eventually led him to the real action, where trusted forum administrators vet malware and rank sellers.
According to Holt, his team found sites in Vietnamese, Spanish, English, Chinese and Arabic. The most popular sites are in Russian. The team translates sites using a combination of automated and human translators.
Authorities no real threat
That variety of languages is one reason English-speaking authorities can't easily locate and shut down these forums, Holt says. It also takes time and skilled personnel to monitor and analyse posts. Holt's expert team has been
at work on this for the better part of a year, which gives you an idea of the size of the task.
But there is reason for optimism. Holt shares his data with the authorities and there have been several successful operations against known black market sites. The US Secret Service got involved three years ago, tracking down such sites in Operation Firewall. This resulted in 28 arrests.
But just as a major bust can't be expected to dry up the drug trade, Operation Firewall didn't make much of a dent in the online black market. To the consternation of the authorities, other sites quickly popped up to replace those that were taken down. The business practices of the underground malware economy continue to evolve.