The malware 'shadow economy'

Viruses, malware and online crime are evolving from the realm of geeks into a major shadow economy that closely mimics the real world.

Maksym Schipka, a senior architect at security firm MessageLabs, claims to have identified a sophisticated online black market with tens of thousands of participants.

This underground internet economy is worth over $105bn, making it bigger than the global drugs trade.

Collectively, online criminals are using the techniques of the free market to subvert and corrupt legitimate online business.

In his report Schipka lays out the basic workings of this system, comparing it to a normal high street experience.

As with high street stores, online crime breaks down into a series of specialised trades.

Malware writers first create new viruses, spyware, and Trojans to infect computers, but the majority do not distribute the code themselves.

In fact, they make great play of offering their software 'for educational purposes only' in the hope that this provides some immunity from prosecution.

The malware writers then sell this code for as little as $250 and customers can subscribe to updates for an extra $25 a month which ensures that the malware evades detection.

The middleman who buys malware from a programmer then typically uses the services of a botnet owner to spread it.

Once the malware has spread, the middleman can sit back and start to collect stolen information and stolen identities which are then sold on to make money.

According to Schipka's research, a full identity sells for around $5. This includes name and address, a passport or driving licence scan, credit card numbers and bank account details.

Credit card numbers sell for between two and five per cent of the remaining credit balance on the cards in questions.

As competition is stiff, identity thieves offer customers a high level of service. For example, people can buy identities sorted by a given country, industry, role or credit card sorted by remaining balance.

There are a range of other services offered within the shadow economy, including a system of guarantors and escrow accounts to help thieves make sure they are not ripped off themselves.

Another sign of growing sophistication is the continuous improvement in the quality of products on sale in the shadow economy.

Malware writers will offer guarantees that a given virus or Trojan will not be detected using current antivirus programs, and the malware author will supply a new version if vendors update their software.

The shadow economy has all the attributes of a traditional economy - division of labour, price competition, marketing etc - but accelerated to internet speed and carried out online.

Schipka warned that, while it is interesting to observe these classic economic principles at work, it suggests that malware is going to get more common and more virulent.

The researcher explained that many conventional antivirus programs rely on 'signatures' to detect malware and update their signature files as new malware comes to light.

However, this means that a signature can only be created after a new virus is in the wild and is attacking computers. Worse, malware authors can also download the signatures and test their creations against the latest updates.

Schipka's research suggests that malware authors can produce new unique malware every 45 seconds in order to keep it undetected.

With this in mind, Schipka recommends security program developers to use a combined signature-based and heuristic scanner to help maximise the strength of their products.

Posted in |

0 comments: