Attack exploit market spawns service economy

Malware writers sold more accessible, user-friendly toolkits to novice cybercriminals in 2010 at an average price of US$900, Symantec has reported.

The security vendor observed malware advertisements on underground IRC servers between 1 July 2009 and 30 June 2010.

Command and control toolkit ZeuS represented 65 percent of Symantec's sightings, and ranged in price from US$40 to US$4,000.

ZeuS stole sensitive information such as banking credentials and was distributed by networks of compromised computers called botnets.

Last March, Cisco researchers expected a ZeuS botnet that cost US$2,500 to set up to be capable of stealing US$415,000.

According to Symantec's Asia Pacific director of managed services Scott McCrady, a toolkit's profits depended on the type of data it managed to steal.

He expected credit card information to sell for between US$0.50 and US$2.00, and the market price of toolkits to directly reflect their usefulness.

"From what we've seen in the last five years, the underground community has evolved from a niche system to a supply and demand type of community," he told iTnews.

"Zeus seems to be the most usable toolkit we've seen in the past couple of years ... we know that it's successful because the pricing has been driven up."

Other observed toolkits included: El Fiesta for between US$100 and US$700; Eleonore from US$599 to US$1,000; Golod for $600 to $1,500; and Liberty for US$500.

There was even a service-based secondary economy, with attack kits like Mariposa priced from US$450 to US$1,400, depending on included features, and with post-purchase support packages of up to twelve months for US$520.

Some business-minded malware writers were also building their botnets through "pay-per-install" outsourcing networks, in which affiliates were paid for each successful installation of the malware.

Symantec speculated that many "work from home" schemes were based on people being paid to perform such tasks, often without realising that they were part of a potentially illegal operation.

Payment for each installation ranged from US$0.01 to more than US$1, with the CashInstaller Trojan pay-per-install program paying affiliates US$180 per 1,000 installations.

Highlighting a lack of global governance, McCrady did not expect law enforcement to sufficiently quash attacks and the maturing malware economy.

He suggested that users and organisations focus on "prevention" with security tools that detected and blocked malware attacks.