With special offers and volume discounts, the global market for criminal malware now operates like a supermarket.
According to Panda Software's latest quarterly report the going rate for a reasonably sophisticated but generic Trojan is between £175 and £350. An email list with which to target victims costs from £50 per million names. Malware writers even offer specials - in one case Panda discovered a site selling a 'payment capture' Trojan for £200 to the first 100 customers to sign up, a saving of £50 off the normal rate.
Panda is reluctant to hand over more details of the sites from which such offers were being made, but was willing to say that it considered Russia - an area with poor antimalware legislation - as a prime location for the malware industry.
"In recent months we have witnessed the growing professionalisation of digital crime," said Panda Software's lab chief Luis Corrons.
"The first step for cyber-crooks was when they started looking for profits from their activity instead of just notoriety. Now they are creating a vast online malware market, where there are even specialised segments. New business models are appearing, as we speak", he said.
According to Corrons, the malware industry now appears to be turning from being just a shop from which malware can be bought, to one where services are offered. For between $1 and $5 per executable, malware could be cloaked - encrypted - against the antivirus software programs it was likely to encounter on a for-hire basis. Finally, criminals could rent spam servers for £250 a time to distribute their assembled malware package, the company said.
Corrons also provides details of the cost of hiring DDoS attacks in his blog.
"This malware market is completely online. All types of creations and crimeware tools can be bought in hundreds of forums. Even though most web pages have been located in Eastern European countries, mafias extend their networks worldwide, he said.
"Although it may look difficult to find web pages where these tools are sold, it is not. All you have to do is search in browsers for forums where hacking services are rented or where Trojans are sold."
If using malware to attack users is so lucrative, why do some criminals choose to sell their expertise rather than exploit the programs themselves? This is a harder question to answer, but could have something to do with risk. Better a low-risk, lower return that is guaranteed than a high-risk, high-return one that is not.