Cracking open the cybercrime economy - Via ZDNet UK:

"Over the years, the criminal elements, the ones who are making money, making millions out of all this online crime, are just getting stronger and stronger. I don't think we are really winning this war."

As director of antivirus research for F-Secure, you might expect Mikko Hypponen to overplay the seriousness of the situation. But according to the Finnish company, during 2007 the number of samples of malicious code on its database doubled, having taken 20 years to reach the size it was at the beginning of this year.

There seems to be some serious evidence then for the idea of an evolution from hacking and virus writing for fun to creating malicious code for profit. Security experts are increasingly pointing to the existence of a "black" or "shadow" cyber-economy, where malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors.

It is difficult to establish exactly how organised this malware economy is but, according to David Marcus, security research manager, McAfee Avert Labs, it's relatively straightforward to buy not only the modules to build malware, but also the support services that go with it.

"From Trojan creation sites out of Germany and the Eastern bloc, you can purchase kits and support for malware in yearly contracts," says Marcus. "They present themselves as a cottage industry which sells tools or creation kits. It's hard to tell if it's a conspiracy or a bunch of autonomous individuals who are good at covering their tracks."

As well as kits and support, legions of compromised computers, or botnets, can be hired for nefarious purposes — usually for spam runs, or to perpetrate denial of service attacks. One of the most successful botnets of 2007 has been "Storm", so-called due to the hook-line used to trick victims into opening emails containing the Trojan. In January this year, the first malware was sent out with the tagline "230 dead as storm batters Europe".

The Storm botnet, estimated now to contain millions of compromised computers, has advanced defences. The servers that control the botnet use so-called fast-flux Domain Name System (DNS) techniques to constantly change their location and names, making them difficult to locate and shut down. And security researchers who have attempted to find the command and control servers have suffered denial of service attacks launched by the controllers of the botnet.

"Storm has been exceptionally successful," says McAfee's Marcus. "It's used for spam runs, and researchers attempting to locate Storm command and control servers have come under attack. The hardest part is finding the key to those channels. They're not always easy to detect and find. Some of the communications are encrypted, while some are difficult to detect from a network point of view. I hate to use the word evolution, but they're certainly learning from their successes and failures. If it weren't for Storm, bots would be in significant recession. Some days we're seeing 1,000 different variants a day."

(Read Original Article - Via ZDNet UK.)